Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Downloader.TBZ, DNSQuery.B, Agent.IKJ & many other adware, spyware

Started by Mike McD , May 05 2008 10:04 AM

This topic is locked

#1
Mike McD

Posted 05 May 2008 - 10:04 AM

New Member

Member
6 posts

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:10 AM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BM305b20e4] Rundll32.exe "C:\WINDOWS\system32\cyqaerok.dll",s
O4 - HKLM\..\Run: [33681378] rundll32.exe "C:\WINDOWS\system32\mwqeglgb.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176701778251
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 2917 bytes

PandaScan - Active Scan

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-30 00:50:21
PROTECTIONS: 0
MALWARE: 88
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00035328 Application/KillApp.A HackTools No 0 Yes No C:\HP\bin\Terminator.exe
00099295 Application/KillApp.C HackTools No 0 Yes No C:\HP\bin\KillWind.exe
00099297 HackTool/ProcLog.A HackTools No 0 Yes No C:\HP\bin\ProcessLogger.exe
00099301 Trj/Reboot.F Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101434.EXE
00101555 Application/KillApp.B HackTools No 0 Yes No C:\HP\bin\KillIt.exe
00132734 adware/24-7-search Adware No 0 Yes No c:\windows\system32\unppc.exe
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@fastclick[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@mediaplex[1].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized [email protected][1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@com[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@azjmp[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@adrevolver[3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized [email protected][1].txt
00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@cgi-bin[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Application Data\Mozilla\Firefox\Profiles\ok4k9jds.Default User\COOKIES.TXT[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Application Data\Mozilla\Firefox\Profiles\ok4k9jds.Default User\COOKIES.TXT[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@questionmarket[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@bravenet[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@bravenet[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@adultfriendfinder[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@go[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@target[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@target[2].txt
00219235 Adware/CommAd Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101494.DLL
00219238 Adware/CommAd Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101495.EXE
00250251 Adware/ISearch Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101491.EXE
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@atwola[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@atwola[1].txt
00262492 Adware/CommAd Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101492.VBS
00293079 Spyware/7r7t Spyware No 1 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\SNAPSNET.EXE
00332832 Adware/DollarRevenue Adware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1293\A0100327.DLL
00514952 Adware/TTC Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101496.EXE
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@advancedcleaner[2].txt
02893538 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101490.EXE
02904061 Adware/BraveSentry Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101499.DLL
02907634 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101498.EXE
02908334 Trj/Downloader.TBZ Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1292\A0100311.EXE
02908334 Trj/Downloader.TBZ Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1293\A0100331.EXE
02908334 Trj/Downloader.TBZ Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1290\A0100263.EXE
02908708 Trj/DNSQuery.B Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101493.EXE
02909088 Trj/Agent.IKJ Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1300\A0101579.EXE
02909454 Adware/Insider Adware No 0 Yes No C:\Program Files\JavaCore\JavaCore.exe
02910327 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1294\A0100363.DLL
02910536 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\QLEGQOXU.DLL
02910538 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1303\A0101632.DLL
02910541 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1304\A0101646.DLL
02910544 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1299\A0101571.DLL
02910544 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0100440.DLL
02910544 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\FICDKNCF.DLL
02910544 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1296\A0100410.DLL
02910544 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\BKLOVQOF.DLL
02910546 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\BEGWYWMJ.DLL
02910547 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\GYFQXRJN.DLL
02910549 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\GXOMVNQR.DLL
02910553 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\SDPKTMKK.DLL
02910554 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1294\A0100361.DLL
02910556 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\IMFAWVFD.DLL
02910556 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\JJLIMCWJ.DLL
02910556 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1296\A0100409.DLL
02910556 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0100439.DLL
02911849 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1306\A0101671.DLL
02912126 Trj/Downloader.TGP Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1295\A0100383.EXE
02912170 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\JUJWGFFK.DLL
02912789 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\QOMKKLI.DLL
02912789 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\TUVUUST.DLL
02912883 Trj/Downloader.THP Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1293\A0100332.EXE
02912883 Trj/Downloader.THP Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1292\A0100313.EXE
02912883 Trj/Downloader.THP Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1292\A0100312.EXE
02913446 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1296\A0100406.DLL
02913446 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0100436.DLL
02913446 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1294\A0100359.DLL
02913446 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\BYXVS.DLL
02913446 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1295\A0100381.DLL
02913448 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1309\A0101695.DLL
02913451 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temporary Internet Files\Content.IE5\SXMRG167\hctp[1]
02913451 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1308\A0101684.DLL
02913453 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\NKMOGHCH.DLL
02913453 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temporary Internet Files\Content.IE5\MF0B890H\ptch[1]
02913545 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1310\A0102720.DLL
02913729 Adware/Insider Adware No 0 Yes No C:\Program Files\Temporary\InsiDERInst.exe
02914393 Spyware/Vundo Spyware No 0 Yes No C:\WINDOWS\SYSTEM32\BJIVYHSL.DLL
02914400 Spyware/Vundo Spyware No 0 Yes No C:\WINDOWS\SYSTEM32\WUGQIQJA.DLL
02914400 Spyware/Vundo Spyware No 0 Yes No C:\WINDOWS\SYSTEM32\VNTATJLF.DLL
02914400 Spyware/Vundo Spyware No 0 Yes No C:\WINDOWS\SYSTEM32\AWDKWMKU.DLL
02914400 Spyware/Vundo Spyware No 0 Yes No C:\WINDOWS\SYSTEM32\ATRTEGGM.DLL
02914400 Spyware/Vundo Spyware No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temporary Internet Files\Content.IE5\8123O1QV\zrt20080408[1]
02914400 Spyware/Vundo Spyware No 0 Yes No C:\WINDOWS\SYSTEM32\UXSPRKFF.DLL
02914481 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1306\A0101664.DLL
02914483 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\MKTFVQXP.DLL
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1292\A0100301.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\RABCO\RABCOse.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1291\A0100274.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1295\A0100389.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\RABCO\X_RABCOse.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1299\A0101562.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101516.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101507.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1296\A0100422.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1291\A0100281.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1295\A0100395.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1291\A0100294.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101422.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1297\A0101480.EXE
02916777 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\CPV\CPV7.DLL
02918988 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1312\A0102769.DLL
02918991 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1312\A0102752.DLL
02918993 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1308\A0101683.DLL
02919033 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\HLUCROPV.DLL
02919370 Application/ErrorSafe HackTools No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\WINVSNET.EXE
02927495 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\UQBSVCLK.DLL
02927692 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\WWSCARVU.DLL
02929194 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\SNDIRPMK.DLL
02929194 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\XEJEGCKQ.DLL
02929194 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\LVPDKKGO.DLL
02929267 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1316\A0102852.DLL
02929267 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1315\A0102843.DLL
02929570 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\FHVJJTSG.DLL
02929571 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\BFSYVTOU.DLL
02929571 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\PLDOHXDG.DLL
02929573 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\YWVWWFHT.DLL
02930202 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\MQQUNCER.DLL
02930830 Adware/Maxifiles Adware No 1 Yes No C:\Program Files\JavaCore\UnInstall.exe
02931466 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\uninstall.exe
02931466 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1294\A0100367.EXE
02932471 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temporary Internet Files\Content.IE5\8123O1QV\kriv[1]
02932471 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1317\A0102862.DLL
02932471 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1316\A0102853.DLL
02935905 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1318\A0103879.DLL
02935948 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1319\A0103888.DLL
02935949 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\TWDNAGFR.DLL
02935950 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\LXEJUFSH.DLL
02935950 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\QFHIQLSA.DLL
02935950 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\HP Authorized Custom\Local Settings\Temporary Internet Files\Content.IE5\SXMRG167\glas[1]
02935951 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\VMYMFQBV.DLL
02936327 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\TOVBGLFQ.DLL
02936549 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A1F9B9BE-04F2-4A3B-8924-E8E15A4ED6BD}\RP1321\A0103926.DLL

ClamWin Report

Scan Started Tue Apr 29 12:58:37 2008

-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***

*** Scanned 15 processes - 337 modules ***

*** Computer Memory Scan Completed ***

C:\WINDOWS\system32\tuvuust.dll: Trojan.Vundo-1859 FOUND

C:\WINDOWS\system32\byxvs.dll: Trojan.Vundo-2058 FOUND

C:\WINDOWS\system32\pvpenhbg.dll: Trojan.Agent-68 FOUND

C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll: Sirius.Annihilator.272 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 272315

Engine version: 0.90.2

Scanned directories: 0

Scanned files: 352

Skipped non-executable files: 0

Infected files: 4

Data scanned: 158.96 MB

Time: 4328.704 sec (72 m 8 s)

--------------------------------------

Completed

--------------------------------------

System runs extremely slowly. Unwanted popups on both IE and Firefox.

PLEASE HELP!

#2
Mike

Posted 05 May 2008 - 10:48 AM

Malware Monger

Retired Staff
2,745 posts

Hi Mike McD,

I am currently looking over your log, I will be back with you shortly.

#3
Mike

Posted 05 May 2008 - 12:21 PM

Malware Monger

Retired Staff
2,745 posts

Hi again Mike McD,

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out

Preperation

I notice you have no Anti-Virus program installed on your computer. These programs are necessary in keeping your computer free of malware, without it you are very likely to get re-infected within a very short period of time.
I would like you to download one of these free programs I have listed here for you.
Note: Make sure to only install ONE program, as having more can cause confliction between these programs, which in turn lowers your protection and slows down your computer.

AVG Anti-Virus
AntiVir

I notice you have no Firewall program installed on your computer. These programs are necessary in keeping your computer safe from hackers and remote attacks against your computer. Without it you are opeing a door for hackers. I would like you to download one of these free programs I have listed here for you.
Note: Make sure to only install ONE program, as having more can cause confliction between these programs, which in turn lowers your protection and slows down your computer.

Step 1. Running VundoFix

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step 2. Fixes with Hijack This

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O4 - HKLM\..\Run: [BM305b20e4] Rundll32.exe "C:\WINDOWS\system32\cyqaerok.dll",s
O4 - HKLM\..\Run: [33681378] rundll32.exe "C:\WINDOWS\system32\mwqeglgb.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

The entry in blue shows that some restrictions have been placed on your control panel, If you are the administrator of this computer and did not set these restrictions, please fix this entry.

Now please close all open windows except HJT and press "Fix checked".

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\system32\cyqaerok.dll
C:\WINDOWS\system32\mwqeglgb.dll
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please reboot manually if OTmoveIt2 doesn't do it for you.

Step 3. Deckards' System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

In your next reply
Please post the log produced by VundoFix.
Main.txt & Extra.txt from Deckards' System Scanner.

#4
Mike McD

Posted 08 May 2008 - 08:48 AM

New Member

Topic Starter
Member
6 posts

Ok, here are the logs of the programs I've run. I ran VundoFix, and it had a problem clearing two files. I tried starting it from the desktop, and on reboot. Both times it found two files and hung up while trying to clean them. I ran it in safe mode, and now it says they are gone.

There is one file that MoveIt2 could not unregister. When I tried to send you this email, I got an unwanted popup in firefox, and I got text boxes for MalwareRemoval, along with a second window opened in IE.

So although most instances of the Vundo are gone, I'm still getting the spyware-adware problem.

BTW, thank you for all your help so far. You guys are incredible.

Mike.

C:\Program Files\PowerISO\PWRISOSH.DLL
C:\WINDOWS\SYSTEM32\bwabxwno.dll
C:\WINDOWS\SYSTEM32\crbttvax.dll
C:\WINDOWS\SYSTEM32\havxpbhs.ini
C:\WINDOWS\SYSTEM32\hkwbiovi.dll
C:\WINDOWS\SYSTEM32\shbpxvah.dll
C:\WINDOWS\SYSTEM32\tovbglfq.dll
C:\WINDOWS\SYSTEM32\umddpduw.dll
C:\WINDOWS\SYSTEM32\vmymfqbv.dll
C:\WINDOWS\SYSTEM32\vwvdsxit.dll

DllUnregisterServer procedure not found in C:\WINDOWS\system32\cyqaerok.dll
C:\WINDOWS\system32\cyqaerok.dll NOT unregistered.
C:\WINDOWS\system32\cyqaerok.dll moved successfully.
File/Folder C:\WINDOWS\system32\mwqeglgb.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05072008_223255

I just went to copy the Hijack this log, and I see all my icons and my taskbar have disappeared. This was a problem with the original virus. Will post HJT after rebooting!

Mike

#5
Mike McD

Posted 08 May 2008 - 09:25 AM

New Member

Topic Starter
Member
6 posts

Everything! Finally!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:37 AM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [33681378] rundll32.exe "C:\WINDOWS\system32\bqvjdfea.dll",b
O4 - HKLM\..\Run: [BM305b20e4] Rundll32.exe "C:\WINDOWS\system32\efbvmrvt.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176701778251
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 2877 bytes

VundoFix

C:\Program Files\PowerISO\PWRISOSH.DLL
C:\WINDOWS\SYSTEM32\bwabxwno.dll
C:\WINDOWS\SYSTEM32\crbttvax.dll
C:\WINDOWS\SYSTEM32\havxpbhs.ini
C:\WINDOWS\SYSTEM32\hkwbiovi.dll
C:\WINDOWS\SYSTEM32\shbpxvah.dll
C:\WINDOWS\SYSTEM32\tovbglfq.dll
C:\WINDOWS\SYSTEM32\umddpduw.dll
C:\WINDOWS\SYSTEM32\vmymfqbv.dll
C:\WINDOWS\SYSTEM32\vwvdsxit.dll

MoveIt2

DllUnregisterServer procedure not found in C:\WINDOWS\system32\cyqaerok.dll
C:\WINDOWS\system32\cyqaerok.dll NOT unregistered.
C:\WINDOWS\system32\cyqaerok.dll moved successfully.
File/Folder C:\WINDOWS\system32\mwqeglgb.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05072008_223255

#6
Mike

Posted 08 May 2008 - 01:22 PM

Malware Monger

Retired Staff
2,745 posts

Hi Mike McD,

Thank you for your PM, it was very kind and is what keeps us going

As for donating, if you would like to make a contribution to help keep this site running take a look at this thread
http://www.geekstogo...ation-t132.html. The amount is entirely up to you, small or large.

Now let's get back to removing this junk from your PC! Please follow my instructions carefully.

First off I noticed you still haven't installed an Antivirus Program or Firewall Program, Please do so NOW. It is extremely important to have these programs updated and running, if not you will just get infected again in a short amount of time. Look again at my previous instructions under "Preparation" and download one of each program.

Then,

Please go here and install the Recovery Console.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

In your next reply:

Please post the contents C:\ComboFix.txt
A new Hijack This log (After running Combofix)

Edited by Mike, 08 May 2008 - 01:23 PM.

#7
Mike McD

Posted 09 May 2008 - 02:31 PM

New Member

Topic Starter
Member
6 posts

Mike,

Just a quick note. I had downloaded and installed Anitvir. I then tried to run the VundoFix program. Antivir freaked out and started an endless loop, throwing up text boxes telling me which versions of Vundo it had found, and it kept finding the same versions over and over no matter how I told the program how to handle the file (ignore, quarantine, delete, etc.). So I am holding off installing anything until after the system is clear. Please trust that I am not surfing the net while this process is going on. I WILL install something (probably not Antivir) when we are done. I had been using Clamwin, but I see you're not recommending that.

Here are the log files you've requested.

Deckard's System Scanner v20071014.68
Run by HP Authorized Custom on 2008-05-09 09:31:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
64: 2008-05-09 14:31:37 UTC - RP1329 - Deckard's System Scanner Restore Point
63: 2008-05-09 14:04:14 UTC - RP1328 - ComboFix created restore point
62: 2008-05-08 08:30:44 UTC - RP1327 - System Checkpoint
61: 2008-05-07 03:56:13 UTC - RP1326 - Avira AntiVir Personal - 5/6/2008 22:56
60: 2008-05-07 02:43:41 UTC - RP1325 - System Checkpoint

-- First Restore Point --
1: 2008-02-22 18:51:03 UTC - RP1266 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as HP Authorized Custom.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:50 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP Authorized Custom\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP Authorized Custom.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {3E3A9A92-577F-56FC-0213-5200BDB0DACF} - C:\WINDOWS\system32\zdeh.dll (file missing)
O2 - BHO: (no name) - {69DA6BCD-2FA4-46D8-8E02-66290755B9BE} - C:\WINDOWS\system32\xxwuu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BF679CE1-EE30-485C-8197-8B2B4D45C6EB} - C:\WINDOWS\system32\cbayv.dll (file missing)
O2 - BHO: (no name) - {FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D} - C:\WINDOWS\system32\yayyv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176701778251
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 4005 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080424-130547-915 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.netzero.net/s/sp
backup-20080424-130547-833 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
backup-20080424-130547-144 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
backup-20080424-130547-539 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
backup-20080424-130547-507 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
backup-20080424-130547-406 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
backup-20080424-130548-438 O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp
backup-20080424-130548-168 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
backup-20080424-130548-457 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
backup-20080507-222552-174 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,16
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,15

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 GBDevice - c:\windows\system32\drivers\gbdevice.sys <Not Verified; Symantec Corporation; Norton GoBack>
R0 GoBack2K - c:\windows\system32\drivers\goback2k.sys <Not Verified; Symantec Corporation; Norton GoBack>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 GBFSHook - c:\windows\system32\drivers\gbfshook.sys <Not Verified; Symantec Corporation; Norton GoBack>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20070308.002\symidsco.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>
S4 GBPoll - c:\program files\norton systemworks\norton goback\gbpoll.exe <Not Verified; Symantec Corporation; Norton GoBack>
S4 HP Port Resolver - c:\windows\system32\spool\drivers\w32x86\3\hpbpro.exe <Not Verified; Hewlett-Packard Company; PortResolver Module>
S4 HP Status Server - c:\windows\system32\spool\drivers\w32x86\3\hpboid.exe <Not Verified; Hewlett-Packard Company; HP Status Server>
S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>
S4 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 ScsiAccess - c:\windows\system32\scsiaccess.exe

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-09 09:31:11 0 d-------- C:\WINDOWS\LastGood
2008-05-09 09:03:31 68096 --a------ C:\WINDOWS\zip.exe
2008-05-09 09:03:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-09 09:03:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-09 09:03:31 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-09 09:03:31 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-09 09:03:31 98816 --a------ C:\WINDOWS\sed.exe
2008-05-09 09:03:31 80412 --a------ C:\WINDOWS\grep.exe
2008-05-09 09:03:31 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-08 10:23:32 2112 --a------ C:\WINDOWS\system32\twgcerkw.exe
2008-05-07 10:23:47 2112 --a------ C:\WINDOWS\system32\xtwoikoj.exe
2008-05-07 00:48:41 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-05-06 23:30:29 0 d-------- C:\VundoFix Backups
2008-05-06 23:28:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-05-06 23:27:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-06 23:15:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-06 21:31:29 2112 --a------ C:\WINDOWS\system32\atajycku.exe
2008-04-29 12:52:46 0 d-------- C:\Program Files\Panda Security

-- Find3M Report ---------------------------------------------------------------

2008-03-28 15:33:12 0 d-------- C:\Program Files\ACW
2008-03-26 12:18:22 0 d-------- C:\Program Files\Trend Micro
2008-03-25 08:00:32 0 --a------ C:\WINDOWS\mrofinu.exe
2008-03-25 07:53:18 0 --a------ C:\WINDOWS\system32\yayyv.dll
2008-03-24 13:41:38 2556 --a------ C:\WINDOWS\unins000.dat
2008-03-24 13:40:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-23 21:01:16 0 d-------- C:\Documents and Settings\HP Authorized Custom\Application Data\HouseCall 6.6

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E3A9A92-577F-56FC-0213-5200BDB0DACF}]
C:\WINDOWS\system32\zdeh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69DA6BCD-2FA4-46D8-8E02-66290755B9BE}]
C:\WINDOWS\system32\xxwuu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22}]
C:\WINDOWS\system32\ddaba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF679CE1-EE30-485C-8197-8B2B4D45C6EB}]
C:\WINDOWS\system32\cbayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D}]
03/25/2008 07:53 AM 0 --a------ C:\WINDOWS\system32\yayyv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 11:53 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk.disabled
backup=C:\WINDOWS\pss\Norton GoBack.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP Authorized Custom^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\HP Authorized Custom\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\33681378]
rundll32.exe "C:\WINDOWS\system32\qlegqoxu.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bvflew]
"C:\Documents and Settings\HP Authorized Custom\Application Data\??stem\n?tepad.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
"C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upne]
"C:\WINDOWS\system32\TSKS~1\services.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"ScsiAccess"=2 (0x2)
"QBFCService"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"gusvc"=3 (0x3)
"GBPoll"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD06"=C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
"BluetoothAuthenticationAgent"=rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"MMTray"=
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf

-- End of Deckard's System Scanner: finished at 2008-05-09 09:38:27 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 510.43 MiB / 230.52 MiB
Pagefile Memory (total/avail): 672.69 MiB / 463.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.45 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 37.26 GiB total, 12.81 GiB free.
E: is Removable (No Media)
M: is CDROM (No Media)
N: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-23FRA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.27 GiB - C:

\\.\PHYSICALDRIVE1 - HP Photosmart 8100 USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP Authorized Custom\Application Data
BLASTER=A220 I5 D1 T4 P330
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SECOND
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP Authorized Custom
LOGONSERVER=\\SECOND
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\COMMAND;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HPAUTH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HPAUTH~1\LOCALS~1\Temp
USERDOMAIN=SECOND
USERNAME=HP Authorized Custom
USERPROFILE=C:\Documents and Settings\HP Authorized Custom
winbootdir=C:\WINDOWS
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

HP Authorized Custom (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT
--> C:\Program Files\Installshield Installation Information\{08082022-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082022-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\CreateCD\UNINST.ISU"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\UNINST.ISU"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\UNINST.ISU"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\mrun32.isu
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7C06F60-C1A0-4D8C-85BA-15A18B93AA13}\setup.exe" -l0x9 -uninst -f"C:\Program Files\Scholastic's Clifford\Clifford Musical Memory Games\Uninst.isu" -c"C:\Program Files\Scholastic's Clifford\Clifford Musical Memory Games\_UnInstall.dll"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adaptec DirectCD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\DirectCD\DCDUnins.isu" -cC:\PROGRA~1\ADAPTEC\DIRECTCD\Dcduhlp.dll
Adaptec Easy CD Creator 4 --> "C:\Program Files\Common Files\Adaptec\ECDCUNIN\SETUP.EXE" +s -l0009 -fECDC.INS
Adaptec UDF Reader --> C:\WINDOWS\SYSTEM32\udfrunin.exe
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\98\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\98\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\Install.log
aspi --> MsiExec.exe /I{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}
CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GTK+ 2.6.9 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\HP Authorized Custom\Application Data\HouseCall 6.6\uninstaller.exe"
HP Image Zone 4.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Java 2 Runtime Environment, SE v1.4.1_07 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA532E73-1BB7-11D8-9D6A-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_370000_11f1ac\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LeadTool --> MsiExec.exe /I{050ED764-D5FD-4D33-8FCD-AC48250C0798}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NoDNS --> C:\Program Files\\NoDNS\\UnInstall.exe
Norton GoBack Personal Edition (Symantec Corporation) --> C:\Program Files\Norton SystemWorks\Norton GoBack\Setup.exe /u
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
One-touch Multimedia Keyboard --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Netropa\One-touch Multimedia Keyboard\Uninst.isu" -c"C:\Program Files\Netropa\One-touch Multimedia Keyboard\uninst.dll"
OpenOffice.org 2.0 --> MsiExec.exe /I{76BB7B2D-748F-4AE9-89C3-78C051833EA1}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PCDADDIN --> MsiExec.exe /I{65D85050-5610-4A91-A3B1-D5C744291AD4}
PCDHELP --> MsiExec.exe /I{C99DCDA4-7407-4F72-A77E-C81C551D0C4E}
PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
PCDrdsho --> MsiExec.exe /I{C42C10A8-F2F4-4846-B772-ABD1912A2E85}
Photosmart 320,370,7400,8100,8400 Series --> C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe -datfile hphscr01.dat
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{91208A47-5D08-4C79-986F-1931940F51BB}
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
RABCO --> "C:\Program Files\RABCO\un_RABCOSetup_16230.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2 --> MsiExec.exe /I{ABE068DF-8DC4-4947-ABFC-DD2B40850225}
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
The GIMP 2.2.8 --> "C:\Program Files\GIMP-2.0\unins000.exe"
USB MassStorage CardReader --> C:\Program Files\Kodak\040a_5005\Remove.exe
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Windows Messenger 5.0 --> MsiExec.exe /I{4A432C6C-1E20-4266-95D1-5782349C6C62}
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll

-- Application Event Log -------------------------------------------------------

Event Record #/Type331 / Error
Event Submitted/Written: 05/08/2008 09:22:57 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type325 / Warning
Event Submitted/Written: 05/07/2008 01:12:05 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.AGC:\WINDOWS\SYSTEM32\byxvs.dll

Event Record #/Type324 / Warning
Event Submitted/Written: 05/07/2008 01:12:04 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINDOWS\SYSTEM32\epljjsfr.dll

Event Record #/Type323 / Warning
Event Submitted/Written: 05/07/2008 01:12:04 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINDOWS\SYSTEM32\epljjsfr.dll

Event Record #/Type322 / Warning
Event Submitted/Written: 05/07/2008 01:12:04 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINDOWS\SYSTEM32\shbpxvah.dll

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type8903 / Error
Event Submitted/Written: 05/09/2008 09:09:44 AM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{305F24F5-9D38-42FD-A9FA-371179EA9030}.
The backup browser is stopping.

Event Record #/Type8902 / Warning
Event Submitted/Written: 05/09/2008 09:07:43 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\DECAF-80LUKSINH on the network \Device\NetBT_Tcpip_{305F24F5-9D38-42FD-A9FA-371179EA9030}.
The data is the error code.

Event Record #/Type8864 / Warning
Event Submitted/Written: 05/08/2008 02:22:48 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0018F8082A65. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type8844 / Error
Event Submitted/Written: 05/07/2008 10:22:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type8843 / Error
Event Submitted/Written: 05/07/2008 03:29:39 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
eeCtrl
Fips
IPSec
MRxSmb
NetBIOS
NetBT
P3
RasAcd
Rdbss
SCDEmu
Tcpip

-- End of Deckard's System Scanner: finished at 2008-05-09 09:38:27 ------------

ComboFix 08-05-07.1 - HP Authorized Custom 2008-05-09 9:05:01.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.260 [GMT -5:00]
Running from: C:\Documents and Settings\HP Authorized Custom\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\HP Authorized Custom\Application Data\STEM~1
C:\Program Files\CPV
C:\Program Files\CPV\CPV7.dll
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\outerinfo
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\abadd.ini
C:\WINDOWS\SYSTEM32\abadd.ini2
C:\WINDOWS\SYSTEM32\aefdjvqb.ini
C:\WINDOWS\system32\akxlyykf.ini
C:\WINDOWS\system32\anerdmfn.dll
C:\WINDOWS\system32\bglgeqwm.ini
C:\WINDOWS\system32\bklyunaf.dll
C:\WINDOWS\system32\bqvjdfea.dll
C:\WINDOWS\system32\byxvs.dll
C:\WINDOWS\system32\cjxnvgxw.dll
C:\WINDOWS\system32\efbvmrvt.dll
C:\WINDOWS\system32\enidtidq.ini
C:\WINDOWS\system32\epljjsfr.dll
C:\WINDOWS\system32\fcnkdcif.ini
C:\WINDOWS\system32\flfetpfe.ini
C:\WINDOWS\system32\gbhnepvp.ini
C:\WINDOWS\system32\gdetkqvj.ini
C:\WINDOWS\system32\grerfthg.dll
C:\WINDOWS\system32\hknmtbji.ini
C:\WINDOWS\system32\jsbmklxx.ini
C:\WINDOWS\system32\kphilsdy.dll
C:\WINDOWS\system32\kpkyptlm.dll
C:\WINDOWS\system32\kstrsqvb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mqobktpm.ini
C:\WINDOWS\system32\mtxcxpjt.ini
C:\WINDOWS\system32\nxxyhnia.dll
C:\WINDOWS\system32\ohfnpcdv.dll
C:\WINDOWS\system32\ohlqldln.dll
C:\WINDOWS\system32\ohqjarpj.dll
C:\WINDOWS\system32\oxkmwdax.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plvsdbfj.dll
C:\WINDOWS\system32\qditdine.dll
C:\WINDOWS\system32\qtkeeifo.dll
C:\WINDOWS\system32\redetstb.ini
C:\WINDOWS\SYSTEM32\svxyb.ini
C:\WINDOWS\SYSTEM32\svxyb.ini2
C:\WINDOWS\system32\tpedhnqu.ini
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\tsks~1\T?sks\
C:\WINDOWS\system32\tuvuust.dll
C:\WINDOWS\system32\twdnagfr.dll
C:\WINDOWS\system32\twwnmguy.ini
C:\WINDOWS\system32\unoofxxd.dll
C:\WINDOWS\system32\utfurhtm.dll
C:\WINDOWS\SYSTEM32\uuwxx.ini
C:\WINDOWS\SYSTEM32\uuwxx.ini2
C:\WINDOWS\system32\vmaovypb.ini
C:\WINDOWS\SYSTEM32\vyabc.ini
C:\WINDOWS\SYSTEM32\vyabc.ini2
C:\WINDOWS\SYSTEM32\vyyay.ini
C:\WINDOWS\SYSTEM32\vyyay.ini2
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\wonahbgj.dll
C:\WINDOWS\system32\wvscnklb.ini
C:\WINDOWS\system32\wytuoqly.dll
C:\WINDOWS\system32\xfqpnpbf.dll
C:\WINDOWS\system32\xrbqtyxn.dll
C:\WINDOWS\system32\yyvhsept.ini
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 10:23 . 2008-05-08 10:23 2,112 --a------ C:\WINDOWS\SYSTEM32\twgcerkw.exe
2008-05-07 22:32 . 2008-05-07 22:32 <DIR> d-------- C:\_OTMoveIt
2008-05-07 10:23 . 2008-05-07 10:23 2,112 --a------ C:\WINDOWS\SYSTEM32\xtwoikoj.exe
2008-05-07 01:04 . 2008-05-07 10:21 414 ---hs---- C:\WINDOWS\SYSTEM32\havxpbhs.ini
2008-05-07 00:48 . 2008-05-07 00:48 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-05-06 23:30 . 2008-05-06 23:30 <DIR> d-------- C:\VundoFix Backups
2008-05-06 23:28 . 2008-05-06 23:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-05-06 23:15 . 2008-05-06 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-06 21:31 . 2008-05-06 21:31 2,112 --a------ C:\WINDOWS\SYSTEM32\atajycku.exe
2008-04-29 12:52 . 2008-04-29 12:52 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 16:12 . 2008-04-22 16:12 714 ---hs---- C:\WINDOWS\SYSTEM32\tgxpoyku.ini
2008-04-20 16:08 . 2008-04-21 16:09 594 ---hs---- C:\WINDOWS\SYSTEM32\lxwilimj.ini
2008-04-19 15:17 . 2008-04-20 16:06 474 ---hs---- C:\WINDOWS\SYSTEM32\onudjrdy.ini
2008-04-19 15:15 . 2008-05-09 08:55 109,778 --a------ C:\WINDOWS\BM305b20e4.xml
2008-04-13 10:17 . 2008-04-19 15:14 1,486 ---hs---- C:\WINDOWS\SYSTEM32\bviwkmwj.ini
2008-04-12 10:11 . 2008-04-13 10:11 1,306 ---hs---- C:\WINDOWS\SYSTEM32\iylhjwwv.ini
2008-04-10 20:40 . 2008-04-12 10:05 894 ---hs---- C:\WINDOWS\SYSTEM32\xarnrwed.ini
2008-04-09 14:56 . 2008-04-10 20:34 714 ---hs---- C:\WINDOWS\SYSTEM32\hbwtkarw.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 20:33 --------- d-----w C:\Program Files\ACW
2008-03-26 17:18 --------- d-----w C:\Program Files\Trend Micro
2008-03-26 04:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 18:40 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-24 02:01 --------- d-----w C:\Documents and Settings\HP Authorized Custom\Application Data\HouseCall 6.6
2007-08-15 18:43 38,152 ----a-w C:\Documents and Settings\HP Authorized Custom\Application Data\GDIPFONTCACHEV1.DAT
2006-08-09 17:42 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2006-03-14 15:04 128 ----a-w C:\Documents and Settings\HP Authorized Custom\Application Data\fusioncache.dat
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
2000-11-01 20:51 271 --sh--w C:\Program Files\desktop.ini
2000-11-01 20:51 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E3A9A92-577F-56FC-0213-5200BDB0DACF}]
C:\WINDOWS\system32\zdeh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69DA6BCD-2FA4-46D8-8E02-66290755B9BE}]
C:\WINDOWS\system32\xxwuu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22}]
C:\WINDOWS\system32\ddaba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF679CE1-EE30-485C-8197-8B2B4D45C6EB}]
C:\WINDOWS\system32\cbayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D}]
2008-03-25 07:53 0 --a------ C:\WINDOWS\system32\yayyv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 11:53 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 11:53 68856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk.disabled
backup=C:\WINDOWS\pss\Norton GoBack.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP Authorized Custom^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\HP Authorized Custom\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\33681378]
C:\WINDOWS\system32\qlegqoxu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bvflew]
C:\Documents and Settings\HP Authorized Custom\Application Data\??stem\n?tepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
C:\Program Files\ClamWin\bin\ClamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-11-06 03:27 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-27 11:53 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2003-03-31 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upne]
C:\WINDOWS\system32\TSKS~1\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"ScsiAccess"=2 (0x2)
"QBFCService"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"gusvc"=3 (0x3)
"GBPoll"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD06"=C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
"BluetoothAuthenticationAgent"=rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"MMTray"=
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 01:04]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 09:16:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
.
**************************************************************************
.
Completion time: 2008-05-09 9:21:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 14:20:36

Pre-Run: 13,322,387,456 bytes free
Post-Run: 13,494,681,600 bytes free

257 --- E O F --- 2008-03-31 08:08:03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:23 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {3E3A9A92-577F-56FC-0213-5200BDB0DACF} - C:\WINDOWS\system32\zdeh.dll (file missing)
O2 - BHO: (no name) - {69DA6BCD-2FA4-46D8-8E02-66290755B9BE} - C:\WINDOWS\system32\xxwuu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BF679CE1-EE30-485C-8197-8B2B4D45C6EB} - C:\WINDOWS\system32\cbayv.dll (file missing)
O2 - BHO: (no name) - {FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D} - C:\WINDOWS\system32\yayyv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menu

#8
Mike

Posted 10 May 2008 - 06:47 AM

Malware Monger

Retired Staff
2,745 posts

Hi Mike McD,

I really insist that you keep your antivirus running. AntiVir is excellent and the popups you see shows that its doing its job by blocking the virus.

I see you're running tools(such as vundofix) and scans (such as Deckards' System Scanner) that I am not asking you to run. It is very important you do not run these tools without supervision as alot of what they list are legitimate and needed items for your computer to run! Please refrain from running any other tools than what I ask you to run.

It seems you didn't install the Recovery Console, your computer is heavily infected and should something go wrong it may be unbootable. The Recovery Console is there so ,if this situation were to arise, I could fix your computer.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

This will cause ComboFix to run, please post me the log it produces.

Your Hijack This log got cut off as well, please post the whole log, if it looks like there is not enough room, post the Hijack This log in a seperate post.

#9
Mike McD

Posted 11 May 2008 - 07:43 AM

New Member

Topic Starter
Member
6 posts

ComboFix 08-05-07.1 - HP Authorized Custom 2008-05-11 7:44:28.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.270 [GMT -5:00]
Running from: C:\Documents and Settings\HP Authorized Custom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP Authorized Custom\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-09 16:56 . 2008-05-10 03:18 32 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-05-09 16:56 . 2008-05-10 03:18 32 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-05-09 16:37 . 2008-05-09 16:37 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-05-09 16:33 . 2008-05-09 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-09 16:32 . 2008-04-02 20:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-09 16:32 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-05-09 16:32 . 2008-05-09 16:37 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-05-09 16:31 . 2008-05-09 16:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2008-05-09 16:31 . 2008-05-09 16:31 <DIR> d-------- C:\Program Files\Zone Labs
2008-05-09 16:31 . 2008-04-02 20:07 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-05-09 16:31 . 2008-05-10 03:19 352,918 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2008-05-09 16:30 . 2008-05-09 16:31 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-09 09:31 . 2008-05-09 09:31 <DIR> d-------- C:\Deckard
2008-05-08 10:23 . 2008-05-08 10:23 2,112 --a------ C:\WINDOWS\SYSTEM32\twgcerkw.exe
2008-05-07 22:32 . 2008-05-07 22:32 <DIR> d-------- C:\_OTMoveIt
2008-05-07 10:23 . 2008-05-07 10:23 2,112 --a------ C:\WINDOWS\SYSTEM32\xtwoikoj.exe
2008-05-07 01:04 . 2008-05-07 10:21 414 ---hs---- C:\WINDOWS\SYSTEM32\havxpbhs.ini
2008-05-07 00:48 . 2008-05-07 00:48 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-05-06 23:30 . 2008-05-06 23:30 <DIR> d-------- C:\VundoFix Backups
2008-05-06 23:28 . 2008-05-06 23:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-05-06 23:15 . 2008-05-06 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-06 21:31 . 2008-05-06 21:31 2,112 --a------ C:\WINDOWS\SYSTEM32\atajycku.exe
2008-04-29 12:52 . 2008-04-29 12:52 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 16:12 . 2008-04-22 16:12 714 ---hs---- C:\WINDOWS\SYSTEM32\tgxpoyku.ini
2008-04-20 16:08 . 2008-04-21 16:09 594 ---hs---- C:\WINDOWS\SYSTEM32\lxwilimj.ini
2008-04-19 15:17 . 2008-04-20 16:06 474 ---hs---- C:\WINDOWS\SYSTEM32\onudjrdy.ini
2008-04-19 15:15 . 2008-05-09 08:55 109,778 --a------ C:\WINDOWS\BM305b20e4.xml
2008-04-13 10:17 . 2008-04-19 15:14 1,486 ---hs---- C:\WINDOWS\SYSTEM32\bviwkmwj.ini
2008-04-12 10:11 . 2008-04-13 10:11 1,306 ---hs---- C:\WINDOWS\SYSTEM32\iylhjwwv.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 20:33 --------- d-----w C:\Program Files\ACW
2008-03-26 17:18 --------- d-----w C:\Program Files\Trend Micro
2008-03-26 04:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 18:40 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-24 02:01 --------- d-----w C:\Documents and Settings\HP Authorized Custom\Application Data\HouseCall 6.6
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2007-08-15 18:43 38,152 ----a-w C:\Documents and Settings\HP Authorized Custom\Application Data\GDIPFONTCACHEV1.DAT
2006-08-09 17:42 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2006-03-14 15:04 128 ----a-w C:\Documents and Settings\HP Authorized Custom\Application Data\fusioncache.dat
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
2000-11-01 20:51 271 --sh--w C:\Program Files\desktop.ini
2000-11-01 20:51 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_ 9.17.56.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 14:15:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-10 08:18:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-12-06 23:44:30 1,024,000 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
+ 2008-02-16 09:32:04 1,024,000 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
- 2007-12-06 23:44:30 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
+ 2008-02-16 09:32:04 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
- 2007-12-06 23:44:32 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
+ 2008-02-16 09:32:04 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
- 2007-12-06 23:44:30 1,024,000 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
+ 2008-02-16 09:32:04 1,024,000 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
- 2007-12-06 23:44:30 151,040 ------w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
+ 2008-02-16 09:32:04 151,040 ------w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
- 2007-12-06 23:44:32 1,054,208 ------w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
+ 2008-02-16 09:32:04 1,054,208 ------w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
- 2007-12-06 23:44:34 357,888 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
+ 2008-02-16 09:32:04 357,888 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
- 2007-12-06 23:44:34 205,824 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
+ 2008-02-16 09:32:04 205,312 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
- 2007-12-06 23:44:34 55,808 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
+ 2008-02-16 09:32:04 55,808 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
- 2007-12-06 23:44:34 251,904 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
+ 2008-02-16 09:32:04 251,904 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
- 2007-12-06 23:44:34 96,256 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
+ 2008-02-16 09:32:04 96,256 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
- 2007-11-14 06:26:56 450,560 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
- 2007-12-06 23:44:34 16,384 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
+ 2008-02-16 09:32:04 16,384 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
- 2007-12-06 23:44:36 3,066,368 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
+ 2008-02-16 09:32:06 3,066,880 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
- 2007-12-06 23:44:36 449,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
+ 2008-02-16 09:32:06 449,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
- 2007-12-06 23:44:36 146,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
+ 2008-02-16 09:32:06 146,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
- 2007-12-06 23:44:36 532,480 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
+ 2008-02-16 09:32:08 532,480 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
- 2007-12-06 23:44:36 39,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
+ 2008-02-16 09:32:08 39,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
- 2007-12-06 23:44:38 1,499,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
+ 2008-02-16 09:32:08 1,499,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
- 2007-12-06 23:44:38 474,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
+ 2008-02-16 09:32:08 474,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
- 2007-12-06 23:44:40 617,984 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
+ 2008-02-16 09:32:08 618,496 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
+ 2007-12-18 14:40:58 417,792 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll
- 2007-12-06 23:44:40 666,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
+ 2008-02-16 09:32:10 666,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
+ 2008-02-20 05:32:44 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\klif.sys
- 2007-12-06 23:44:34 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-02-16 09:32:04 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2007-12-06 23:44:34 205,824 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-02-16 09:32:04 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2007-12-06 23:44:34 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-02-16 09:32:04 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-03-09 14:16:54 169,096 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-05-10 08:18:46 169,096 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
- 2007-12-06 23:44:34 251,904 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2008-02-16 09:32:04 251,904 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2007-12-06 23:44:34 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2008-02-16 09:32:04 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2007-11-14 06:26:56 450,560 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
- 2007-12-06 23:44:34 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-02-16 09:32:04 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-03 01:07:36 796,048 ----a-w C:\WINDOWS\SYSTEM32\libeay32_0.9.6l.dll
+ 2008-04-06 03:56:22 19,836,024 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2007-12-06 23:44:36 3,066,368 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-02-16 09:32:06 3,066,880 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2007-12-06 23:44:36 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-02-16 09:32:06 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2007-12-06 23:44:36 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-02-16 09:32:06 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2007-12-06 23:44:36 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-02-16 09:32:08 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2007-12-06 23:44:36 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-02-16 09:32:08 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2007-12-06 23:44:38 1,499,136 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
+ 2008-02-16 09:32:08 1,499,136 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
- 2007-12-06 23:44:38 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2008-02-16 09:32:08 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
- 2007-12-06 23:44:40 617,984 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-02-16 09:32:08 618,496 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2004-08-04 07:56:46 417,792 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
+ 2008-04-03 01:07:40 83,432 ----a-w C:\WINDOWS\SYSTEM32\vsdata.dll
+ 2008-04-03 01:08:00 394,952 ----a-w C:\WINDOWS\SYSTEM32\vsdatant.sys
+ 2008-04-03 01:07:40 157,160 ----a-w C:\WINDOWS\SYSTEM32\vsinit.dll
+ 2008-04-03 01:07:40 103,912 ----a-w C:\WINDOWS\SYSTEM32\vsmonapi.dll
+ 2008-04-03 01:07:40 275,944 ----a-w C:\WINDOWS\SYSTEM32\vspubapi.dll
+ 2008-04-03 01:07:42 71,144 ----a-w C:\WINDOWS\SYSTEM32\vsregexp.dll
+ 2008-04-03 01:07:42 472,552 ----a-w C:\WINDOWS\SYSTEM32\vsutil.dll
+ 2008-04-03 01:07:42 46,568 ----a-w C:\WINDOWS\SYSTEM32\vswmi.dll
+ 2008-04-03 01:07:42 99,816 ----a-w C:\WINDOWS\SYSTEM32\vsxml.dll
- 2007-12-06 23:44:40 666,112 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-02-16 09:32:10 666,112 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
- 2007-12-06 08:38:32 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-02-15 09:06:22 351,744 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-04-03 01:07:44 83,432 ----a-w C:\WINDOWS\SYSTEM32\zlcomm.dll
+ 2008-04-03 01:07:44 71,144 ----a-w C:\WINDOWS\SYSTEM32\zlcommdb.dll
+ 2008-04-03 01:07:32 370,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\av.dll
+ 2007-05-31 05:03:30 65,248 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 19:47:36 21,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 05:03:30 1,628 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-31 05:03:16 77,824 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 05:03:16 110,592 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 05:03:16 331,776 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 05:03:16 38,400 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-20 04:12:14 208,960 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 19:53:58 282,624 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 23:13:52 1,093,632 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 05:03:20 548,864 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 05:03:20 626,688 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 05:03:18 184,320 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 05:03:22 90,112 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 19:53:58 139,264 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 23:13:52 200,704 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ssleay32.dll
+ 2008-04-03 01:07:32 99,816 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\camupd.dll
+ 2004-01-30 17:35:08 813,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\dbghelp.dll
+ 2008-04-03 01:07:34 128,480 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\fbl.dll
+ 2008-04-03 01:07:34 38,376 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\featuremap.dll
+ 2008-04-03 01:07:34 321,016 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\imsecure.dll
+ 2008-04-03 01:08:02 288,144 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-04-03 01:08:02 152,976 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-04-03 01:08:02 26,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-04-03 01:08:02 1,361,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zpy.zip.dll
+ 2008-04-03 01:08:02 71,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zui.zip.dll
+ 2008-04-03 01:09:10 30,184 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-04-03 01:09:12 30,216 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 08:10:26 714,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrbase.dll
+ 2008-02-27 08:10:28 792,032 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrsrecl.dll
+ 2008-04-03 01:07:38 173,544 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\scheduler.dll
+ 2008-01-21 13:34:36 7,603,688 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2008-02-27 08:10:32 1,504,736 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.dll
+ 2008-02-27 08:10:44 51,176 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.sys
+ 2008-04-03 01:07:38 456,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\ssleay32.dll
+ 2008-04-03 01:09:12 214,528 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-04-03 01:09:14 3,266,040 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 01:59:14 503,875 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\upd_core.dll
+ 2007-10-11 21:50:32 832,984 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updating.dll
+ 2008-04-03 01:07:54 144,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updclient.exe
+ 2007-01-11 22:31:06 286,787 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updtrsdk.dll
+ 2008-04-03 01:07:40 108,008 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsavpro.dll
+ 2008-04-03 01:07:40 83,432 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsdb.dll
+ 2008-04-03 01:07:54 75,304 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
+ 2008-04-03 01:07:40 2,029,032 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmondll.dll
+ 2008-04-03 01:07:42 1,361,384 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsruledb.dll
+ 2008-04-03 01:07:42 239,080 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsvault.dll
+ 2008-01-21 13:34:36 7,603,688 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlasdbup.dat
+ 2008-04-03 01:07:44 177,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlparser.dll
+ 2008-04-03 01:07:44 79,344 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlquarantine.dll
+ 2008-04-03 01:07:46 382,440 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlsre.dll
+ 2008-04-03 01:07:46 120,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E3A9A92-577F-56FC-0213-5200BDB0DACF}]
C:\WINDOWS\system32\zdeh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69DA6BCD-2FA4-46D8-8E02-66290755B9BE}]
C:\WINDOWS\system32\xxwuu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22}]
C:\WINDOWS\system32\ddaba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF679CE1-EE30-485C-8197-8B2B4D45C6EB}]
C:\WINDOWS\system32\cbayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D}]
2008-03-25 07:53 0 --a------ C:\WINDOWS\system32\yayyv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-05-09 16:37 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-05-09 16:37 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 11:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 20:07 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 11:53 68856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk.disabled
backup=C:\WINDOWS\pss\Norton GoBack.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP Authorized Custom^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\HP Authorized Custom\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\33681378]
C:\WINDOWS\system32\qlegqoxu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bvflew]
C:\Documents and Settings\HP Authorized Custom\Application Data\??stem\n?tepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
C:\Program Files\ClamWin\bin\ClamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-11-06 03:27 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-27 11:53 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2003-03-31 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upne]
C:\WINDOWS\system32\TSKS~1\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"ScsiAccess"=2 (0x2)
"QBFCService"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"gusvc"=3 (0x3)
"GBPoll"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD06"=C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
"BluetoothAuthenticationAgent"=rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"MMTray"=
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 01:04]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 07:56:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-11 8:01:40
ComboFix-quarantined-files.txt 2008-05-11 13:00:58
ComboFix2.txt 2008-05-09 14:21:20

Pre-Run: 13,158,055,936 bytes free
Post-Run: 13,159,202,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

349 --- E O F --- 2008-05-11 08:06:42

HijackThis Log to Follow

#10
Mike McD

Posted 11 May 2008 - 07:44 AM

New Member

Topic Starter
Member
6 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:35 AM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {3E3A9A92-577F-56FC-0213-5200BDB0DACF} - C:\WINDOWS\system32\zdeh.dll (file missing)
O2 - BHO: (no name) - {69DA6BCD-2FA4-46D8-8E02-66290755B9BE} - C:\WINDOWS\system32\xxwuu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BF679CE1-EE30-485C-8197-8B2B4D45C6EB} - C:\WINDOWS\system32\cbayv.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D} - C:\WINDOWS\system32\yayyv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176701778251
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 4586 bytes

#11
Mike

Posted 12 May 2008 - 07:09 AM

Malware Monger

Retired Staff
2,745 posts

Hi Mike McD,

Let's continue, please follow these instructions carefully as there is alot to look over. Make sure to run it in the order its listed.

Very Important!

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. When should I re-format?

If you choose to reformat please let me know in your next post. Otherwise proceed with the fixes below.

Step 1. Running SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Step 2. Running OTMoveIt2

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\system32\TSKS~1
C:\Documents and Settings\HP Authorized Custom\Application Data\??stem /u
Purity
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 3. Making a CFscript

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\twgcerkw.exe
C:\WINDOWS\SYSTEM32\xtwoikoj.exe
C:\WINDOWS\SYSTEM32\havxpbhs.ini
C:\WINDOWS\SYSTEM32\atajycku.exe
C:\WINDOWS\SYSTEM32\tgxpoyku.ini
C:\WINDOWS\SYSTEM32\lxwilimj.ini
C:\WINDOWS\SYSTEM32\onudjrdy.ini
C:\WINDOWS\BM305b20e4.xml
C:\WINDOWS\SYSTEM32\bviwkmwj.ini
C:\WINDOWS\SYSTEM32\iylhjwwv.ini
C:\WINDOWS\unins000.exe
C:\WINDOWS\system32\zdeh.dll
C:\WINDOWS\system32\xxwuu.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\yayyv.dll
C:\WINDOWS\system32\qlegqoxu.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E3A9A92-577F-56FC-0213-5200BDB0DACF}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69DA6BCD-2FA4-46D8-8E02-66290755B9BE}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF679CE1-EE30-485C-8197-8B2B4D45C6EB}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D}]

[-HKEY_CLASSES_ROOT\CLSID\{3E3A9A92-577F-56FC-0213-5200BDB0DACF}]

[-HKEY_CLASSES_ROOT\CLSID\{69DA6BCD-2FA4-46D8-8E02-66290755B9BE}]

[-HKEY_CLASSES_ROOT\CLSID\{A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22}]

[-HKEY_CLASSES_ROOT\CLSID\{BF679CE1-EE30-485C-8197-8B2B4D45C6EB}]

[-HKEY_CLASSES_ROOT\CLSID\{FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP Authorized Custom^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\33681378]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bvflew]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upne]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Step 4. Running Dr. Web CureIt

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

In your next reply

Please post the log from SDFix.
Please post the log from OTMoveIt2.
Please post the log from Combofix (located at C:\Combofix.txt).
Please post the log from Dr. Web CureIt.
Please post a new Hijack This log AFTER running all these tools.

Edited by Mike, 12 May 2008 - 07:10 AM.

#12
Mike

Posted 22 May 2008 - 04:38 AM

Malware Monger

Retired Staff
2,745 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.