[SequelPrequel]

Okay, at first - I could not log in to NORMAL windows. I was forced to use safe mode each time, so I was prevented from using some antispyware programs, antivirus, etc.

I pretty much dealt with this myself by using the self-help tools.

If anyone ever has this problem: It's vundo, agent, and some other malware.

I still think there's vundo hidden on my computer, it's very slick, evaded almost all the scanners I used. I noticed it put my cookies on "All Cookies" and also kept redirecting me to other sites to prevent me from downloading any cleaner/scanner. What I did was I googled MBAM then I used Google's cached page to get to that link, and I installed it and ran it directly.

Here's my hjt log, no vundo shows here. Vundo.resident is present though, I'm positive. I'm about to run VundoFix.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:23 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [44d8a429] rundll32.exe "C:\WINDOWS\system32\fbvuvfwv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - http://asp.mathxl.co.../MathPlayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 7230 bytes

Attached Files

•  extra.txt   26.54KB   306 downloads

Edited by SequelPrequel, 25 July 2008 - 06:03 AM.

[Advertisements]

Hi there,

Now it is difficult to tell from your post whether you are now able to work from normal windows, or whether you need to be in safe mode.

If you are only able to work in safe mode, then lets use it to our advantage.

BUT ONLY DO STEPS ONE AND TWO IF YOU ARE IN SAFE MODE. IF YOU ARE IN NORMAL WINDOWS, SKIP STEPS ONE AND TWO, AND MOVE STRAIGHT TO STEP THREE.

STEP ONE

I need you to run a command script. Please copy the entire contents of the codebox below into Notepad:

• Open Notepad
• Copy the contents of the codebox below using CTRL C

@echo off

echo Trying to remove files and folders. . . . 
if exist C:\WINDOWS\system32\cnpvkf.dll attrib -h -s -r C:\WINDOWS\system32\cnpvkf.dll
if exist C:\WINDOWS\system32\cnpvkf.dll del /a/f/q C:\WINDOWS\system32\cnpvkf.dll 
if exist C:\WINDOWS\system32\ebtfopbd.dll attrib -h -s -r C:\WINDOWS\system32\ebtfopbd.dll
if exist C:\WINDOWS\system32\ebtfopbd.dll del /a/f/q C:\WINDOWS\system32\ebtfopbd.dll
if exist C:\WINDOWS\system32\dkygjsuo.dll attrib -h -s -r C:\WINDOWS\system32\dkygjsuo.dll
if exist C:\WINDOWS\system32\dkygjsuo.dll del /a/f/q C:\WINDOWS\system32\dkygjsuo.dll
if exist C:\WINDOWS\system32\TDMllnnn.ini2 attrib -h -s -r C:\WINDOWS\system32\TDMllnnn.ini2
if exist C:\WINDOWS\system32\TDMllnnn.ini2 del /a/f/q C:\WINDOWS\system32\TDMllnnn.ini2
if exist C:\WINDOWS\system32\nnnllMDT.dll attrib -h -s -r C:\WINDOWS\system32\nnnllMDT.dll
if exist C:\WINDOWS\system32\nnnllMDT.dll del /a/f/q C:\WINDOWS\system32\nnnllMDT.dll
if exist C:\WINDOWS\system32\wvUKdBqo.dll attrib -h -s -r C:\WINDOWS\system32\wvUKdBqo.dll
if exist C:\WINDOWS\system32\wvUKdBqo.dll del /a/f/q C:\WINDOWS\system32\wvUKdBqo.dll
if exist C:\WINDOWS\system32\khfDwwTl.dll attrib -h -s -r C:\WINDOWS\system32\khfDwwTl.dll
if exist C:\WINDOWS\system32\khfDwwTl.dll del /a/f/q C:\WINDOWS\system32\khfDwwTl.dll
if exist C:\WINDOWS\qndsfmao.dll attrib -h -s -r C:\WINDOWS\qndsfmao.dll
if exist C:\WINDOWS\qndsfmao.dll del /a/f/q C:\WINDOWS\qndsfmao.dll
if exist C:\WINDOWS\kvxqmtre.dll attrib -h -s -r C:\WINDOWS\kvxqmtre.dll
if exist C:\WINDOWS\kvxqmtre.dll del /a/f/q C:\WINDOWS\kvxqmtre.dll
if exist C:\WINDOWS\kgxmotaptvw.dll attrib -h -s -r C:\WINDOWS\kgxmotaptvw.dll
if exist C:\WINDOWS\kgxmotaptvw.dll del /a/f/q C:\WINDOWS\kgxmotaptvw.dll
if exist C:\WINDOWS\evgratsm.dll attrib -h -s -r C:\WINDOWS\evgratsm.dll
if exist C:\WINDOWS\evgratsm.dll del /a/f/q C:\WINDOWS\evgratsm.dll
if exist C:\WINDOWS\epeb.exe attrib -h -s -r C:\WINDOWS\epeb.exe
if exist C:\WINDOWS\epeb.exe del /a/f/q C:\WINDOWS\epeb.exe
if exist C:\WINDOWS\agpqlrfm.exe attrib -h -s -r C:\WINDOWS\agpqlrfm.exe
if exist C:\WINDOWS\agpqlrfm.exe del /a/f/q C:\WINDOWS\agpqlrfm.exe
if exist C:\fi.cmd attrib -h -s -r C:\fi.cmd
if exist C:\fi.cmd del /a/f/q C:\fi.cmd
if exist C:\31n3b2h.exe attrib -h -s -r C:\31n3b2h.exe
if exist C:\31n3b2h.exe del /a/f/q C:\31n3b2h.exe
if exist C:\WINDOWS\system32\ckvo0.dll attrib -h -s -r C:\WINDOWS\system32\ckvo0.dll
if exist C:\WINDOWS\system32\ckvo0.dll del /a/f/q C:\WINDOWS\system32\ckvo0.dll
if exist C:\ffojc.com attrib -h -s -r C:\ffojc.com
if exist C:\ffojc.com del /a/f/q C:\ffojc.com
if exist C:\k6wkwon2.exe attrib -h -s -r C:\k6wkwon2.exe
if exist C:\k6wkwon2.exe del /a/f/q C:\k6wkwon2.exe
if exist C:\0gjn3yw.exe attrib -h -s -r C:\0gjn3yw.exe
if exist C:\0gjn3yw.exe del /a/f/q C:\0gjn3yw.exe
if exist C:\WINDOWS\system32\ckvo.exe attrib -h -s -r C:\WINDOWS\system32\ckvo.exe
if exist C:\WINDOWS\system32\ckvo.exe del /a/f/q C:\WINDOWS\system32\ckvo.exe
if exist C:\y.com attrib -h -s -r C:\y.com
if exist C:\y.com del /a/f/q C:\y.com
if exist C:\WINDOWS\system32\ckvo1.dll attrib -h -s -r C:\WINDOWS\system32\ckvo1.dll
if exist C:\WINDOWS\system32\ckvo1.dll del /a/f/q C:\WINDOWS\system32\ckvo1.dll
if exist C:\mp.cmd attrib -h -s -r C:\mp.cmd
if exist C:\mp.cmd del /a/f/q C:\mp.cmd
if exist C:\n6j6pc0.com attrib -h -s -r C:\n6j6pc0.com
if exist C:\n6j6pc0.com del /a/f/q C:\n6j6pc0.com
if exist C:\br1e.com attrib -h -s -r C:\br1e.com
if exist C:\br1e.com del /a/f/q C:\br1e.com
if exist C:\uwlmj.com attrib -h -s -r C:\uwlmj.com
if exist C:\uwlmj.com del /a/f/q C:\uwlmj.com
if exist C:\WINDOWS\system32\kavo1.dll attrib -h -s -r C:\WINDOWS\system32\kavo1.dll
if exist C:\WINDOWS\system32\kavo1.dll del /a/f/q C:\WINDOWS\system32\kavo1.dll
if exist C:\WINDOWS\system32\kavo.exe attrib -h -s -r C:\WINDOWS\system32\kavo.exe
if exist C:\WINDOWS\system32\kavo.exe del /a/f/q C:\WINDOWS\system32\kavo.exe
if exist C:\WINDOWS\system32\kavo0.dll attrib -h -s -r C:\WINDOWS\system32\kavo0.dll
if exist C:\WINDOWS\system32\kavo0.dll del /a/f/q C:\WINDOWS\system32\kavo0.dll
if exist C:\o6opnro.bat attrib -h -s -r C:\o6opnro.bat
if exist C:\o6opnro.bat del /a/f/q C:\o6opnro.bat
if exist C:\s2vgyp.exe attrib -h -s -r C:\s2vgyp.exe
if exist C:\s2vgyp.exe del /a/f/q C:\s2vgyp.exe
if exist C:\n.com attrib -h -s -r C:\n.com
if exist C:\n.com del /a/f/q C:\n.com
if exist C:\pkxfkrki.bat attrib -h -s -r C:\pkxfkrki.bat
if exist C:\pkxfkrki.bat del /a/f/q C:\pkxfkrki.bat
if exist C:\lgrncie.bat attrib -h -s -r C:\lgrncie.bat
if exist C:\lgrncie.bat del /a/f/q C:\lgrncie.bat
if exist C:\90imhpnc.exe attrib -h -s -r C:\90imhpnc.exe
if exist C:\90imhpnc.exe del /a/f/q C:\90imhpnc.exe
if exist C:\p1t.bat attrib -h -s -r C:\p1t.bat
if exist C:\p1t.bat del /a/f/q C:\p1t.bat
if exist C:\WINDOWS\system32\kavo2.dll attrib -h -s -r C:\WINDOWS\system32\kavo2.dll
if exist C:\WINDOWS\system32\kavo2.dll del /a/f/q C:\WINDOWS\system32\kavo2.dll
if exist C:\p0sc9t.cmd attrib -h -s -r C:\p0sc9t.cmd
if exist C:\p0sc9t.cmd del /a/f/q C:\p0sc9t.cmd
if exist C:\yp.bat attrib -h -s -r C:\yp.bat
if exist C:\yp.bat del /a/f/q C:\yp.bat
if exist C:\sdc.bat attrib -h -s -r C:\sdc.bat
if exist C:\sdc.bat del /a/f/q C:\sdc.bat
if exist C:\2.cmd attrib -h -s -r C:\2.cmd
if exist C:\2.cmd del /a/f/q C:\2.cmd
if exist C:\9mf.exe attrib -h -s -r C:\9mf.exe
if exist C:\9mf.exe del /a/f/q C:\9mf.exe
if exist C:\ocbqsqj.bat attrib -h -s -r C:\ocbqsqj.bat
if exist C:\ocbqsqj.bat del /a/f/q C:\ocbqsqj.bat
if exist C:\m.exe attrib -h -s -r C:\m.exe
if exist C:\m.exe del /a/f/q C:\m.exe
if exist C:\lgnaqil.exe attrib -h -s -r C:\lgnaqil.exe
if exist C:\lgnaqil.exe del /a/f/q C:\lgnaqil.exe
if exist C:\w2qagd.com attrib -h -s -r C:\w2qagd.com
if exist C:\w2qagd.com del /a/f/q C:\w2qagd.com
if exist C:\mka.bat attrib -h -s -r C:\mka.bat
if exist C:\mka.bat del /a/f/q C:\mka.bat
if exist C:\8386nac.com attrib -h -s -r C:\8386nac.com
if exist C:\8386nac.com del /a/f/q C:\8386nac.com
if exist C:\0.com attrib -h -s -r C:\0.com
if exist C:\0.com del /a/f/q C:\0.com
if exist C:\1.bat attrib -h -s -r C:\1.bat
if exist C:\1.bat del /a/f/q C:\1.bat
RD /S /Q C:\Program Files\Antivirus2008
RD /S /Q C:\Program Files\Antivirus 2008 PRO
RD /S /Q C:\Documents and Settings\ibrahm\Application Data\ShoppingReport

• Now return to Notepad and use CTRL V to paste the script
• Verify that you have pasted the complete script
• Save the Notepad file to your Desktop as Script.cmd using Save as Type: All files
• Locate Script.cmd on your desktop
• Double click to run.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

STEP TWO

Next, I need you to run a small registry script to clean up some entries, but first we need to backup your registry:
Please go to Start > Run
Paste in the following line:

regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please copy the entire contents of the codebox below into Notepad:

• Open Notepad
• Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05721FB0-2C8D-41A1-BEF7-0957168A3502}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05721FB0-2C8D-41A1-BEF7-0957168A3502}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C79EB32-ED4F-450B-9B71-851A81C4FE9B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C79EB32-ED4F-450B-9B71-851A81C4FE9B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75bd77a4-cc46-4e22-a9fd-5c046948ef07}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75bd77a4-cc46-4e22-a9fd-5c046948ef07}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0FCCD91-E695-4651-82D7-029F328A8120}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0FCCD91-E695-4651-82D7-029F328A8120}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DelayLoad"=-
"44d8a429"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F0FCCD91-E695-4651-82D7-029F328A8120}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"evgratsm"=-
"kvxqmtre"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUKdBqo] 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6D,73,76,31,5F,30,00,00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC}"=-

[-HKEY_CLASSES_ROOT\CLSID\{9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}]

[-HKEY_CLASSES_ROOT\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\http://trymedia.com]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\https://trymedia.com]

• Now return to Notepad and use CTRL V to paste the script
• Verify that you have pasted the complete script
• Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
• Locate FixReg.reg on your desktop
• Double click to run, and when prompted Allow the file to merge with your registry
• OK your way out.

After that, Reboot and see if you can start in Normal Mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


If you can start the computer normally, move on to the next step. If you still have to start in Safe Mode, post me a new DSS log and DO NOT try any further steps.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

STEP THREE

Do this only if you are in Normal Windows:

Please read this Combofix tutorial before continuing, then follow the instructions below.

Please ensure you read this guide carefully and install the Recovery Console first.

Next, download ComboFix from Here or Here to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

(Note: Combofix will also save the report to C:\Combofix.txt)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, dependent on whether you could get into normal windows, post me the following logs in your next reply:

The contents of DSS main.txt IF still in Safe Mode.

OR

The contents of Combofix.txt and a fresh DSS main.txt, taken after running Combofix IF you are back in normal windows.

Regards,
RatHat

[RatHat]

Hi there,

Now it is difficult to tell from your post whether you are now able to work from normal windows, or whether you need to be in safe mode.

If you are only able to work in safe mode, then lets use it to our advantage.

BUT ONLY DO STEPS ONE AND TWO IF YOU ARE IN SAFE MODE. IF YOU ARE IN NORMAL WINDOWS, SKIP STEPS ONE AND TWO, AND MOVE STRAIGHT TO STEP THREE.

STEP ONE

I need you to run a command script. Please copy the entire contents of the codebox below into Notepad:

• Open Notepad
• Copy the contents of the codebox below using CTRL C

@echo off

echo Trying to remove files and folders. . . . 
if exist C:\WINDOWS\system32\cnpvkf.dll attrib -h -s -r C:\WINDOWS\system32\cnpvkf.dll
if exist C:\WINDOWS\system32\cnpvkf.dll del /a/f/q C:\WINDOWS\system32\cnpvkf.dll 
if exist C:\WINDOWS\system32\ebtfopbd.dll attrib -h -s -r C:\WINDOWS\system32\ebtfopbd.dll
if exist C:\WINDOWS\system32\ebtfopbd.dll del /a/f/q C:\WINDOWS\system32\ebtfopbd.dll
if exist C:\WINDOWS\system32\dkygjsuo.dll attrib -h -s -r C:\WINDOWS\system32\dkygjsuo.dll
if exist C:\WINDOWS\system32\dkygjsuo.dll del /a/f/q C:\WINDOWS\system32\dkygjsuo.dll
if exist C:\WINDOWS\system32\TDMllnnn.ini2 attrib -h -s -r C:\WINDOWS\system32\TDMllnnn.ini2
if exist C:\WINDOWS\system32\TDMllnnn.ini2 del /a/f/q C:\WINDOWS\system32\TDMllnnn.ini2
if exist C:\WINDOWS\system32\nnnllMDT.dll attrib -h -s -r C:\WINDOWS\system32\nnnllMDT.dll
if exist C:\WINDOWS\system32\nnnllMDT.dll del /a/f/q C:\WINDOWS\system32\nnnllMDT.dll
if exist C:\WINDOWS\system32\wvUKdBqo.dll attrib -h -s -r C:\WINDOWS\system32\wvUKdBqo.dll
if exist C:\WINDOWS\system32\wvUKdBqo.dll del /a/f/q C:\WINDOWS\system32\wvUKdBqo.dll
if exist C:\WINDOWS\system32\khfDwwTl.dll attrib -h -s -r C:\WINDOWS\system32\khfDwwTl.dll
if exist C:\WINDOWS\system32\khfDwwTl.dll del /a/f/q C:\WINDOWS\system32\khfDwwTl.dll
if exist C:\WINDOWS\qndsfmao.dll attrib -h -s -r C:\WINDOWS\qndsfmao.dll
if exist C:\WINDOWS\qndsfmao.dll del /a/f/q C:\WINDOWS\qndsfmao.dll
if exist C:\WINDOWS\kvxqmtre.dll attrib -h -s -r C:\WINDOWS\kvxqmtre.dll
if exist C:\WINDOWS\kvxqmtre.dll del /a/f/q C:\WINDOWS\kvxqmtre.dll
if exist C:\WINDOWS\kgxmotaptvw.dll attrib -h -s -r C:\WINDOWS\kgxmotaptvw.dll
if exist C:\WINDOWS\kgxmotaptvw.dll del /a/f/q C:\WINDOWS\kgxmotaptvw.dll
if exist C:\WINDOWS\evgratsm.dll attrib -h -s -r C:\WINDOWS\evgratsm.dll
if exist C:\WINDOWS\evgratsm.dll del /a/f/q C:\WINDOWS\evgratsm.dll
if exist C:\WINDOWS\epeb.exe attrib -h -s -r C:\WINDOWS\epeb.exe
if exist C:\WINDOWS\epeb.exe del /a/f/q C:\WINDOWS\epeb.exe
if exist C:\WINDOWS\agpqlrfm.exe attrib -h -s -r C:\WINDOWS\agpqlrfm.exe
if exist C:\WINDOWS\agpqlrfm.exe del /a/f/q C:\WINDOWS\agpqlrfm.exe
if exist C:\fi.cmd attrib -h -s -r C:\fi.cmd
if exist C:\fi.cmd del /a/f/q C:\fi.cmd
if exist C:\31n3b2h.exe attrib -h -s -r C:\31n3b2h.exe
if exist C:\31n3b2h.exe del /a/f/q C:\31n3b2h.exe
if exist C:\WINDOWS\system32\ckvo0.dll attrib -h -s -r C:\WINDOWS\system32\ckvo0.dll
if exist C:\WINDOWS\system32\ckvo0.dll del /a/f/q C:\WINDOWS\system32\ckvo0.dll
if exist C:\ffojc.com attrib -h -s -r C:\ffojc.com
if exist C:\ffojc.com del /a/f/q C:\ffojc.com
if exist C:\k6wkwon2.exe attrib -h -s -r C:\k6wkwon2.exe
if exist C:\k6wkwon2.exe del /a/f/q C:\k6wkwon2.exe
if exist C:\0gjn3yw.exe attrib -h -s -r C:\0gjn3yw.exe
if exist C:\0gjn3yw.exe del /a/f/q C:\0gjn3yw.exe
if exist C:\WINDOWS\system32\ckvo.exe attrib -h -s -r C:\WINDOWS\system32\ckvo.exe
if exist C:\WINDOWS\system32\ckvo.exe del /a/f/q C:\WINDOWS\system32\ckvo.exe
if exist C:\y.com attrib -h -s -r C:\y.com
if exist C:\y.com del /a/f/q C:\y.com
if exist C:\WINDOWS\system32\ckvo1.dll attrib -h -s -r C:\WINDOWS\system32\ckvo1.dll
if exist C:\WINDOWS\system32\ckvo1.dll del /a/f/q C:\WINDOWS\system32\ckvo1.dll
if exist C:\mp.cmd attrib -h -s -r C:\mp.cmd
if exist C:\mp.cmd del /a/f/q C:\mp.cmd
if exist C:\n6j6pc0.com attrib -h -s -r C:\n6j6pc0.com
if exist C:\n6j6pc0.com del /a/f/q C:\n6j6pc0.com
if exist C:\br1e.com attrib -h -s -r C:\br1e.com
if exist C:\br1e.com del /a/f/q C:\br1e.com
if exist C:\uwlmj.com attrib -h -s -r C:\uwlmj.com
if exist C:\uwlmj.com del /a/f/q C:\uwlmj.com
if exist C:\WINDOWS\system32\kavo1.dll attrib -h -s -r C:\WINDOWS\system32\kavo1.dll
if exist C:\WINDOWS\system32\kavo1.dll del /a/f/q C:\WINDOWS\system32\kavo1.dll
if exist C:\WINDOWS\system32\kavo.exe attrib -h -s -r C:\WINDOWS\system32\kavo.exe
if exist C:\WINDOWS\system32\kavo.exe del /a/f/q C:\WINDOWS\system32\kavo.exe
if exist C:\WINDOWS\system32\kavo0.dll attrib -h -s -r C:\WINDOWS\system32\kavo0.dll
if exist C:\WINDOWS\system32\kavo0.dll del /a/f/q C:\WINDOWS\system32\kavo0.dll
if exist C:\o6opnro.bat attrib -h -s -r C:\o6opnro.bat
if exist C:\o6opnro.bat del /a/f/q C:\o6opnro.bat
if exist C:\s2vgyp.exe attrib -h -s -r C:\s2vgyp.exe
if exist C:\s2vgyp.exe del /a/f/q C:\s2vgyp.exe
if exist C:\n.com attrib -h -s -r C:\n.com
if exist C:\n.com del /a/f/q C:\n.com
if exist C:\pkxfkrki.bat attrib -h -s -r C:\pkxfkrki.bat
if exist C:\pkxfkrki.bat del /a/f/q C:\pkxfkrki.bat
if exist C:\lgrncie.bat attrib -h -s -r C:\lgrncie.bat
if exist C:\lgrncie.bat del /a/f/q C:\lgrncie.bat
if exist C:\90imhpnc.exe attrib -h -s -r C:\90imhpnc.exe
if exist C:\90imhpnc.exe del /a/f/q C:\90imhpnc.exe
if exist C:\p1t.bat attrib -h -s -r C:\p1t.bat
if exist C:\p1t.bat del /a/f/q C:\p1t.bat
if exist C:\WINDOWS\system32\kavo2.dll attrib -h -s -r C:\WINDOWS\system32\kavo2.dll
if exist C:\WINDOWS\system32\kavo2.dll del /a/f/q C:\WINDOWS\system32\kavo2.dll
if exist C:\p0sc9t.cmd attrib -h -s -r C:\p0sc9t.cmd
if exist C:\p0sc9t.cmd del /a/f/q C:\p0sc9t.cmd
if exist C:\yp.bat attrib -h -s -r C:\yp.bat
if exist C:\yp.bat del /a/f/q C:\yp.bat
if exist C:\sdc.bat attrib -h -s -r C:\sdc.bat
if exist C:\sdc.bat del /a/f/q C:\sdc.bat
if exist C:\2.cmd attrib -h -s -r C:\2.cmd
if exist C:\2.cmd del /a/f/q C:\2.cmd
if exist C:\9mf.exe attrib -h -s -r C:\9mf.exe
if exist C:\9mf.exe del /a/f/q C:\9mf.exe
if exist C:\ocbqsqj.bat attrib -h -s -r C:\ocbqsqj.bat
if exist C:\ocbqsqj.bat del /a/f/q C:\ocbqsqj.bat
if exist C:\m.exe attrib -h -s -r C:\m.exe
if exist C:\m.exe del /a/f/q C:\m.exe
if exist C:\lgnaqil.exe attrib -h -s -r C:\lgnaqil.exe
if exist C:\lgnaqil.exe del /a/f/q C:\lgnaqil.exe
if exist C:\w2qagd.com attrib -h -s -r C:\w2qagd.com
if exist C:\w2qagd.com del /a/f/q C:\w2qagd.com
if exist C:\mka.bat attrib -h -s -r C:\mka.bat
if exist C:\mka.bat del /a/f/q C:\mka.bat
if exist C:\8386nac.com attrib -h -s -r C:\8386nac.com
if exist C:\8386nac.com del /a/f/q C:\8386nac.com
if exist C:\0.com attrib -h -s -r C:\0.com
if exist C:\0.com del /a/f/q C:\0.com
if exist C:\1.bat attrib -h -s -r C:\1.bat
if exist C:\1.bat del /a/f/q C:\1.bat
RD /S /Q C:\Program Files\Antivirus2008
RD /S /Q C:\Program Files\Antivirus 2008 PRO
RD /S /Q C:\Documents and Settings\ibrahm\Application Data\ShoppingReport

• Now return to Notepad and use CTRL V to paste the script
• Verify that you have pasted the complete script
• Save the Notepad file to your Desktop as Script.cmd using Save as Type: All files
• Locate Script.cmd on your desktop
• Double click to run.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

STEP TWO

Next, I need you to run a small registry script to clean up some entries, but first we need to backup your registry:
Please go to Start > Run
Paste in the following line:

regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please copy the entire contents of the codebox below into Notepad:

• Open Notepad
• Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05721FB0-2C8D-41A1-BEF7-0957168A3502}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05721FB0-2C8D-41A1-BEF7-0957168A3502}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C79EB32-ED4F-450B-9B71-851A81C4FE9B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C79EB32-ED4F-450B-9B71-851A81C4FE9B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75bd77a4-cc46-4e22-a9fd-5c046948ef07}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75bd77a4-cc46-4e22-a9fd-5c046948ef07}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0FCCD91-E695-4651-82D7-029F328A8120}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0FCCD91-E695-4651-82D7-029F328A8120}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DelayLoad"=-
"44d8a429"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F0FCCD91-E695-4651-82D7-029F328A8120}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"evgratsm"=-
"kvxqmtre"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUKdBqo] 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6D,73,76,31,5F,30,00,00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC}"=-

[-HKEY_CLASSES_ROOT\CLSID\{9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}]

[-HKEY_CLASSES_ROOT\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\http://trymedia.com]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\https://trymedia.com]

• Now return to Notepad and use CTRL V to paste the script
• Verify that you have pasted the complete script
• Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
• Locate FixReg.reg on your desktop
• Double click to run, and when prompted Allow the file to merge with your registry
• OK your way out.

After that, Reboot and see if you can start in Normal Mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


If you can start the computer normally, move on to the next step. If you still have to start in Safe Mode, post me a new DSS log and DO NOT try any further steps.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

STEP THREE

Do this only if you are in Normal Windows:

Please read this Combofix tutorial before continuing, then follow the instructions below.

Please ensure you read this guide carefully and install the Recovery Console first.

Next, download ComboFix from Here or Here to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

(Note: Combofix will also save the report to C:\Combofix.txt)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, dependent on whether you could get into normal windows, post me the following logs in your next reply:

The contents of DSS main.txt IF still in Safe Mode.

OR

The contents of Combofix.txt and a fresh DSS main.txt, taken after running Combofix IF you are back in normal windows.

Regards,
RatHat

[SequelPrequel]

Yes I could've boot into normal, so I skipped steps one and two.

Here:

ComboFix 08-07-25.4 - Admin 2008-07-26 1:43:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ffojc.com
C:\k6wkwon2.exe
C:\o.exe
C:\p0sc9t.cmd
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\nnnllMDT.dll
C:\WINDOWS\system32\ousjgykd.ini
C:\WINDOWS\system32\TDMllnnn.ini
C:\WINDOWS\system32\TDMllnnn.ini2
C:\WINDOWS\system32\vwfvuvbf.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-26 01:52 . 2008-07-26 01:52 294 ---hs---- C:\WINDOWS\system32\vwfvuvbf.ini
2008-07-25 02:22 . 2008-07-25 02:22 94,848 --a------ C:\WINDOWS\system32\fbvuvfwv.dll
2008-07-25 02:12 . 2008-07-25 02:12 <DIR> d-------- C:\VundoFix Backups
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2008-07-25 01:58 . 2008-07-25 01:58 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-07-25 01:31 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 01:31 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 11:08 . 2008-07-24 11:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-24 02:28 . 2008-07-25 01:19 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-07-24 01:52 . 2008-07-24 01:52 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-07-23 18:56 . 2008-07-23 18:56 <DIR> d-------- C:\Deckard
2008-07-23 16:31 . 2007-03-13 03:10 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Sony Corporation
2008-07-23 16:31 . 2007-03-13 03:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Intuit
2008-07-23 16:31 . 2008-07-26 01:30 <DIR> d-------- C:\Documents and Settings\Admin
2008-07-15 00:43 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-15 00:43 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-07-15 00:43 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-15 00:43 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-15 00:43 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-07-14 23:39 . 2006-03-15 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-14 14:13 . 2008-07-14 23:59 132,804 -r-hs---- C:\31n3b2h.exe
2008-07-14 14:13 . 2008-07-14 23:59 118,512 -r-hs---- C:\fi.cmd
2008-07-10 10:43 . 2008-07-11 11:07 117,053 -r-hs---- C:\0gjn3yw.exe
2008-07-10 10:14 . 2008-07-10 10:13 132,594 -r-hs---- C:\y.com
2008-07-10 04:14 . 2008-07-15 00:00 77,312 -rahs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-10 04:13 . 2008-07-10 04:14 116,414 -r-hs---- C:\mp.cmd
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_864.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_862.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_720.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_708.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\C_28596.NLS
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10021.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10005.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10004.nls
2008-06-26 20:59 . 2008-07-09 23:31 <DIR> d-------- C:\Program Files\Feudalism_at

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 05:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-25 05:51 --------- d-----w C:\Program Files\Google
2008-07-24 06:48 --------- d-----w C:\Program Files\Trend Micro
2008-07-23 23:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 04:10 --------- d-----w C:\Program Files\Yahoo!
2008-07-18 03:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 13:46 125,264 --sh--r C:\br1e.com
2008-06-23 18:47 123,013 --sh--r C:\uwlmj.com
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 03:52 123,769 --sh--r C:\s2vgyp.exe
2008-06-19 12:08 124,324 --sh--r C:\n.com
2008-06-16 06:07 128,280 --sh--r C:\pkxfkrki.bat
2008-06-15 02:31 17,408 ----a-w C:\psapi.dll
2008-06-15 02:31 --------- d-----w C:\Program Files\The Basketball IntelliGym
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 00:21 122,870 --sh--r C:\90imhpnc.exe
2008-06-03 12:33 122,302 --sh--r C:\p1t.bat
2008-06-02 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-29 21:33 122,875 --sh--r C:\yp.bat
2008-05-28 09:55 121,077 --sh--r C:\sdc.bat
2008-05-26 17:02 119,816 --sh--r C:\2.cmd
2008-05-25 21:53 121,998 --sh--r C:\9mf.exe
2008-05-19 04:27 117,655 --sh--r C:\lgnaqil.exe
2008-05-17 19:30 117,831 --sh--r C:\w2qagd.com
2008-04-26 16:47 118,558 --sh--r C:\mka.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"44d8a429"="C:\WINDOWS\system32\fbvuvfwv.dll" [2008-07-25 02:22 94848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 19:11 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-26 10:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 20:26]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 22:32]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-07-14 23:10]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 20:23]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 22:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-02 21:11:03 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-10-02 21:08:20 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-03-30 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{F0FCCD91-E695-4651-82D7-029F328A8120} - C:\WINDOWS\SYSTEM32\WVUKDBQO.DLL
ShellExecuteHooks-{F0FCCD91-E695-4651-82D7-029F328A8120} - C:\WINDOWS\SYSTEM32\WVUKDBQO.DLL
Notify-wvUKdBqo - wvUKdBqo.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
O8 -: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 01:52:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\vwfvuvbf.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-26 1:54:53 - machine was rebooted [Admin]
ComboFix-quarantined-files.txt 2008-07-26 05:54:50

Pre-Run: 56,612,806,656 bytes free
Post-Run: 56,490,577,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

215 --- E O F --- 2008-07-10 09:13:11




Thank you

[RatHat]

Hi there,

Good to se that you are in normal windows. I see yoou have run Vundofix. Could you post me the log it created? Also, please don't run any more fixes without letting me know what you intend to run. This way I can make sure that there will not be any conflicts.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vwfvuvbf.ini
C:\WINDOWS\system32\fbvuvfwv.dll
C:\31n3b2h.exe
C:\fi.cmd
C:\0gjn3yw.exe
C:\y.com
C:\WINDOWS\system32\ckvo1.dll
C:\mp.cmd
C:\br1e.com
C:\uwlmj.com
C:\s2vgyp.exe
C:\n.com
C:\pkxfkrki.bat
C:\90imhpnc.exe
C:\p1t.bat
C:\yp.bat
C:\sdc.bat
C:\2.cmd
C:\9mf.exe
C:\lgnaqil.exe
C:\w2qagd.com
C:\mka.bat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"44d8a429"=-

Rootkit::
C:\WINDOWS\system32\vwfvuvbf.ini

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display the results if your system has been infected.
  
  • Now click on the Save Report As Text button:
• Under Save as type, choose Text file (*.txt)
• Save the file to your desktop as Kaspersky.txt
• Copy and paste that information in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


When complete, please run DSS again, and post me the Combofix log, the Kaspersky log, and the newly created DSS log.

Regards,
RatHat

[SequelPrequel]

VundoFix was run twice, the most updated versions, and they found nothing.

Here's the first thing (ComboFix):

ComboFix 08-07-25.4 - Admin 2008-07-27 1:40:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.634 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\0gjn3yw.exe
C:\2.cmd
C:\31n3b2h.exe
C:\90imhpnc.exe
C:\9mf.exe
C:\br1e.com
C:\fi.cmd
C:\lgnaqil.exe
C:\mka.bat
C:\mp.cmd
C:\n.com
C:\p1t.bat
C:\pkxfkrki.bat
C:\s2vgyp.exe
C:\sdc.bat
C:\uwlmj.com
C:\w2qagd.com
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\fbvuvfwv.dll
C:\WINDOWS\system32\vwfvuvbf.ini
C:\y.com
C:\yp.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0gjn3yw.exe
C:\2.cmd
C:\31n3b2h.exe
C:\90imhpnc.exe
C:\9mf.exe
C:\br1e.com
C:\fi.cmd
C:\lgnaqil.exe
C:\mka.bat
C:\mp.cmd
C:\n.com
C:\p1t.bat
C:\pkxfkrki.bat
C:\s2vgyp.exe
C:\sdc.bat
C:\uwlmj.com
C:\w2qagd.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\fbvuvfwv.dll
C:\WINDOWS\system32\vwfvuvbf.ini
C:\y.com
C:\yp.bat

.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-25 02:12 . 2008-07-25 02:12 <DIR> d-------- C:\VundoFix Backups
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2008-07-25 01:58 . 2008-07-25 01:58 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-07-25 01:31 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 01:31 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 11:08 . 2008-07-24 11:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-24 02:28 . 2008-07-25 01:19 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-07-24 01:52 . 2008-07-24 01:52 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-07-23 18:56 . 2008-07-23 18:56 <DIR> d-------- C:\Deckard
2008-07-23 16:31 . 2007-03-13 03:10 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Sony Corporation
2008-07-23 16:31 . 2007-03-13 03:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Intuit
2008-07-23 16:31 . 2008-07-26 01:30 <DIR> d-------- C:\Documents and Settings\Admin
2008-07-15 00:43 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-15 00:43 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-07-15 00:43 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-15 00:43 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-15 00:43 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-07-14 23:39 . 2006-03-15 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_864.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_862.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_720.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_708.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\C_28596.NLS
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10021.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10005.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10004.nls

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 05:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-25 05:51 --------- d-----w C:\Program Files\Google
2008-07-24 06:48 --------- d-----w C:\Program Files\Trend Micro
2008-07-23 23:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 04:10 --------- d-----w C:\Program Files\Yahoo!
2008-07-18 03:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 03:31 --------- d-----w C:\Program Files\Feudalism_at
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 02:31 17,408 ----a-w C:\psapi.dll
2008-06-15 02:31 --------- d-----w C:\Program Files\The Basketball IntelliGym
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
.

((((((((((((((((((((((((((((( snapshot@2008-07-26_ 1.54.34.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-27 05:44:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_18c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 08:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 19:11 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-26 10:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 20:26]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 22:32]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-07-14 23:10]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 20:23]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 22:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-02 21:11:03 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-10-02 21:08:20 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-03-30 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 01:44:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-27 1:48:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-27 05:48:01
ComboFix2.txt 2008-07-26 05:54:54

Pre-Run: 56,424,751,104 bytes free
Post-Run: 56,409,763,840 bytes free

205 --- E O F --- 2008-07-10 09:13:11

[RatHat]

Let me have the Kaspersky log and new DSS log, then we can see what else is left over. Also let me know how your computer is running now.

Regards,
RatHat

[SequelPrequel]

Deckard's System Scanner v20071014.68
Run by Admin on 2008-07-28 01:01:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:46 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 8020 bytes

-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-27 02:44:47 0 dr-h----- C:\Documents and Settings\Admin\Recent
2008-07-27 02:36:14 0 d-------- C:\Program Files\Avira
2008-07-27 02:36:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-26 01:42:53 0 d-------- C:\cmdcons
2008-07-26 01:41:41 68096 --a------ C:\WINDOWS\zip.exe
2008-07-26 01:41:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-26 01:41:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-26 01:41:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-26 01:41:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-26 01:41:41 98816 --a------ C:\WINDOWS\sed.exe
2008-07-26 01:41:41 80412 --a------ C:\WINDOWS\grep.exe
2008-07-26 01:41:41 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 02:12:06 0 d-------- C:\VundoFix Backups
2008-07-25 02:03:28 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-25 02:03:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-25 02:03:09 0 d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2008-07-25 01:58:48 0 dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-07-25 01:57:51 0 d-------- C:\Documents and Settings\Admin\Application Data\Real
2008-07-25 01:49:41 0 d-------- C:\Documents and Settings\Admin\Application Data\Google
2008-07-25 01:46:16 0 d-------- C:\Program Files\msn gaming zone
2008-07-25 01:31:57 0 d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-07-25 01:31:45 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 01:31:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 11:08:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-24 02:28:01 0 d-------- C:\Program Files\RogueRemover FREE
2008-07-24 02:21:29 0 d-------- C:\WINDOWS\pss
2008-07-24 02:17:29 0 d-------- C:\Documents and Settings\Admin\Application Data\Adobe
2008-07-23 16:31:33 0 d-------- C:\Documents and Settings\Admin\Application Data\Intuit
2008-07-23 16:31:33 0 d-------- C:\Documents and Settings\Admin\Application Data\Identities
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\Templates
2008-07-23 16:31:32 0 dr------- C:\Documents and Settings\Admin\Start Menu
2008-07-23 16:31:32 0 dr-h----- C:\Documents and Settings\Admin\SendTo
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\PrintHood
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\NetHood
2008-07-23 16:31:32 0 dr------- C:\Documents and Settings\Admin\My Documents
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\Local Settings
2008-07-23 16:31:32 0 dr------- C:\Documents and Settings\Admin\Favorites
2008-07-23 16:31:32 0 d-------- C:\Documents and Settings\Admin\Desktop
2008-07-23 16:31:32 0 d--hs---- C:\Documents and Settings\Admin\Cookies
2008-07-23 16:31:32 0 dr-h----- C:\Documents and Settings\Admin\Application Data
2008-07-23 16:31:32 0 d-------- C:\Documents and Settings\Admin\Application Data\Sony Corporation
2008-07-23 16:31:32 0 d-------- C:\Documents and Settings\Admin\Application Data\Macromedia
2008-07-23 16:31:31 1572864 --ah----- C:\Documents and Settings\Admin\NTUSER.DAT
2008-07-15 00:43:13 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-15 00:43:12 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-15 00:43:12 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-07-15 00:43:11 153088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-07-15 00:43:11 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-15 00:16:48 0 d--hs---- C:\WINDOWS\CSC


-- Find3M Report ---------------------------------------------------------------

2008-07-27 01:42:06 0 d-------- C:\Program Files\Common Files
2008-07-25 01:55:22 0 d-------- C:\Program Files\Windows Live Toolbar
2008-07-25 01:51:19 0 d-------- C:\Program Files\Google
2008-07-24 02:48:59 0 d-------- C:\Program Files\Trend Micro
2008-07-23 19:31:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 00:10:32 0 d-------- C:\Program Files\Yahoo!
2008-07-17 23:58:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-09 23:31:28 0 d-------- C:\Program Files\Feudalism_at
2008-06-14 22:31:33 0 d-------- C:\Program Files\The Basketball IntelliGym
2008-06-14 22:31:25 17408 --a------ C:\psapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 00:55:17 762 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/15/2006 08:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 06/20/2006 07:11 PM 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

*Newly Created Service* - SSMDRV



-- End of Deckard's System Scanner: finished at 2008-07-28 01:02:06 ------------

Kasp is too slow to start, with all its downloading of the file updates, can I run another scanner?

Also, the computer is running well. I can't find the two vundos I had earlier using MBAM. Should I try a full scan with SUPERantispyware?

Thanks by the way, this is really appreciated.

[RatHat]

Hi there,

One thing that I notice is that you appear to have two AntiVirus programs now, Norton Internet Security Suite and AntiVir PersonalEdition Classic. This is a no no! Having two AV's running can lead to false readings, and will use a lot of resources. I would recommend that you uninstall one of these.

Now if you are having problems with Kaspersky, lets see if you can run an F-Secure online scan:

• Go to http://support.f-sec.../home/ols.shtml
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
• Click Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take a while, so please be patient

Regards,
RatHat

[SequelPrequel]

I had some issues with Avira attempting to stop the scanner, then I realized I forgot to disable it. I was following your instructions and wasn't paying attention to notice it wasn't there. I had to stop the scanner, disable Avira, and then rescan. These components and downloads the online scanner performs are too LONG. That is what I meant about Kaspersky; F-Secure is even worse, with like 40MB of the files. I don't like that long pre-scan period. Hopefully there will be other scanners to use in the future that do not require this. Here are the results:


Scanning Report
Tuesday, July 29, 2008 03:20:04 - 11:46:38
Computer name: ZAINAB
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 31 malware found
Packed.Win32.PolyCrypt (virus)
System
Packed.Win32.PolyCrypt.h (virus)
C:\E6IEG.EXE
C:\FUFB6TQ3.CMD
Trojan-Downloader.Win32.Zlob.brn (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\087C60A9.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\442B5783.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7D541304.DLL (Renamed & Submitted)
Trojan-PSW.Win32.OnLineGames (virus)
System
Trojan-PSW.Win32.OnLineGames.abab (virus)
C:\BQK.BAT
Trojan-PSW.Win32.OnLineGames.abdj (virus)
C:\X1DG.EXE
Trojan-PSW.Win32.OnLineGames.abvh (virus)
C:\0.COM
Trojan-PSW.Win32.OnLineGames.acbn (virus)
C:\8386NAC.COM
Trojan-PSW.Win32.OnLineGames.qxq (virus)
C:\8OT8Y86.EXE
Trojan-PSW.Win32.OnLineGames.upj (virus)
C:\AB.CMD
Trojan-PSW.Win32.OnLineGames.wdv (virus)
C:\TGTIGHG.CMD
Trojan-PSW.Win32.OnLineGames.wec (virus)
C:\AF9RGM8H.BAT
Trojan-PSW.Win32.OnLineGames.wjb (virus)
C:\GICCHK2S.EXE
Trojan-PSW.Win32.OnLineGames.wkz (virus)
C:\DIOX3J.COM
Trojan-PSW.Win32.OnLineGames.xkz (virus)
C:\OP.BAT
Trojan-PSW.Win32.OnLineGames.ysg (virus)
C:\LHWDCGCB.BAT
Trojan-PSW.Win32.OnLineGames.znd (virus)
C:\WKCAY8U.CMD
Trojan-PSW.Win32.OnLineGames.zrg (virus)
C:\MTLHIEEJ.CMD
Trojan-PSW.Win32.OnLineGames.zxc (virus)
C:\CO.COM
Trojan.Win32.Agent (virus)
System
Trojan.Win32.Agent.ema (virus)
C:\3G08.BAT
Trojan.Win32.Pakes (virus)
System
Trojan.Win32.Pakes.bxd (virus)
C:\G2P3S.EXE
Trojan.Win32.Vaklik (virus)
System
Trojan.Win32.Vaklik.yq (virus)
C:\ERMVU8.CMD
Trojan.Win32.Vaklik.zy (virus)
C:\6W1X.COM
Worm.Win32.AutoRun (virus)
System
Worm.Win32.AutoRun.cnz (virus)
C:\P3R1UD.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 38495
System: 4006
Not scanned: 10
Actions:
Disinfected: 0
Renamed: 3
Deleted: 0
None: 28
Submitted: 3
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{7D7D9080-3DE9-415D-A96F-01B90A22C26D}.BIN
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\66203EF6ED489D0FD4449601FA46AD7E_47834A79-C5FA-4386-AD08-101D0BF28D28

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.68
F-Secure Hydra: 2.8.8110, 2008-07-28
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure AVP: 7.0.171, 2008-07-28
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------
Thank you

Edited by SequelPrequel, 29 July 2008 - 04:27 PM.

[SequelPrequel]

I thought you should see this, I ran MBAM and it found over 30 infections:

Malwarebytes' Anti-Malware 1.23
Database version: 985
Windows 5.1.2600 Service Pack 2

7:22:53 PM 7/29/2008
mbam-log-7-29-2008 (19-22-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 97870
Time elapsed: 53 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP236\A0066229.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP236\A0066243.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP236\A0066251.exe (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP236\A0066268.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP237\A0066273.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP237\A0066295.exe (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP237\A0067207.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP237\A0067242.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP238\A0067332.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP238\A0067334.exe (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP238\A0068442.exe (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP238\A0068475.exe (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP238\A0068480.exe (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP241\A0068711.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP241\A0068716.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP241\A0068718.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP241\A0068842.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP242\A0068851.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP242\A0068856.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP242\A0068858.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0075067.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0075317.dll (Adware.Shopper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0076867.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0076868.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0076869.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0076885.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0076911.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0079784.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0079785.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP243\A0079786.com (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP247\A0081805.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98F833F7-368A-46D0-8190-E8CC52059E7E}\RP248\A0082855.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnllMDT.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

[RatHat]

Hi there,

The files that MBAM found were either in the System Restore archive, or in Combofix's quarantine, so not to be concerned about. Now lets check to make sure the files that F-Secure found are removed:


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\E6IEG.EXE
C:\FUFB6TQ3.CMD 
C:\BQK.BAT 
C:\X1DG.EXE 
C:\0.COM 
C:\8386NAC.COM 
C:\8OT8Y86.EXE 
C:\AB.CMD 
C:\TGTIGHG.CMD 
C:\AF9RGM8H.BAT 
C:\GICCHK2S.EXE 
C:\DIOX3J.COM 
C:\OP.BAT 
C:\LHWDCGCB.BAT 
C:\WKCAY8U.CMD 
C:\MTLHIEEJ.CMD 
C:\CO.COM 
C:\3G08.BAT 
C:\G2P3S.EXE 
C:\ERMVU8.CMD 
C:\6W1X.COM 
C:\P3R1UD.EXE

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.

6. Run DSS again and include the log in your nex reply.

Regards,
RatHat

[SequelPrequel]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 29, 2008 19:51:46
Records in database: 1023975
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 60626
Threat name: 32
Infected objects: 37
Suspicious objects: 0
Duration of the scan: 00:59:35


File name / Threat name / Threats count
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.16203 Infected: Worm.Win32.AutoRun.ekv 1
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.34955 Infected: Trojan.Win32.Vaklik.ye 1
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.49458 Infected: Worm.Win32.AutoRun.eev 1
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.50685 Infected: Trojan-PSW.Win32.OnLineGames.aofo 1
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.53849 Infected: Trojan-GameThief.Win32.OnLineGames.sfnw 1
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.77878 Infected: Trojan-PSW.Win32.OnLineGames.aaru 1
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.91129 Infected: Trojan.Win32.Vaklik.bnx 1
C:\Documents and Settings\Admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.93556 Infected: Trojan-PSW.Win32.OnLineGames.ahep 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\087C60A9.0LL Infected: Trojan-Downloader.Win32.Zlob.brn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\442B5783.0LL Infected: Trojan-Downloader.Win32.Zlob.brn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D541304.0LL Infected: Trojan-Downloader.Win32.Zlob.brn 1
C:\QooBox\Quarantine\C\0gjn3yw.exe.vir Infected: Trojan.Win32.Vaklik.bpw 1
C:\QooBox\Quarantine\C\2.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.ajso 1
C:\QooBox\Quarantine\C\31n3b2h.exe.vir Infected: Trojan.Win32.Vaklik.bts 1
C:\QooBox\Quarantine\C\90imhpnc.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.ambn 1
C:\QooBox\Quarantine\C\9mf.exe.vir Infected: Worm.Win32.AutoRun.dwj 1
C:\QooBox\Quarantine\C\br1e.com.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxtq 1
C:\QooBox\Quarantine\C\ffojc.com.vir Infected: Worm.Win32.AutoRun.eks 1
C:\QooBox\Quarantine\C\fi.cmd.vir Infected: Worm.Win32.AutoRun.ekv 1
C:\QooBox\Quarantine\C\k6wkwon2.exe.vir Infected: Trojan.Win32.Vaklik.brd 1
C:\QooBox\Quarantine\C\lgnaqil.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aiof 1
C:\QooBox\Quarantine\C\mka.bat.vir Infected: Worm.Win32.AutoRun.dnx 1
C:\QooBox\Quarantine\C\mp.cmd.vir Infected: Trojan.Win32.Vaklik.bok 1
C:\QooBox\Quarantine\C\n.com.vir Infected: Worm.Win32.AutoRun.ees 1
C:\QooBox\Quarantine\C\o.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxf 1
C:\QooBox\Quarantine\C\p0sc9t.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.alko 1
C:\QooBox\Quarantine\C\p1t.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.alyg 1
C:\QooBox\Quarantine\C\pkxfkrki.bat.vir Infected: Trojan.Win32.Vaklik.azs 1
C:\QooBox\Quarantine\C\s2vgyp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.rxpb 1
C:\QooBox\Quarantine\C\sdc.bat.vir Infected: Trojan-PSW.Win32.Magania.rhb 1
C:\QooBox\Quarantine\C\uwlmj.com.vir Infected: Trojan.Win32.Vaklik.bbl 1
C:\QooBox\Quarantine\C\w2qagd.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aijr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ckvo0.dll.vir Infected: Worm.Win32.AutoRun.ekv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ckvo1.dll.vir Infected: Worm.Win32.AutoRun.ekv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fbvuvfwv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.adpw 1
C:\QooBox\Quarantine\C\y.com.vir Infected: Trojan.Win32.Vaklik.boq 1
C:\QooBox\Quarantine\C\yp.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.alhw 1

The selected area was scanned.

[RatHat]

Everything is in Quarantined folders, so nothing to worry about.

Please run Combofix as outlined above, and post me its log and a fresh DSS log. Also let me know how your computer is behaving now.

Regards,
RatHat

[SequelPrequel]

ComboFix 08-07-25.4 - Admin 2008-07-30 2:39:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.543 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\0.COM
C:\3G08.BAT
C:\6W1X.COM
C:\8386NAC.COM
C:\8OT8Y86.EXE
C:\AB.CMD
C:\AF9RGM8H.BAT
C:\BQK.BAT
C:\CO.COM
C:\DIOX3J.COM
C:\E6IEG.EXE
C:\ERMVU8.CMD
C:\FUFB6TQ3.CMD
C:\G2P3S.EXE
C:\GICCHK2S.EXE
C:\LHWDCGCB.BAT
C:\MTLHIEEJ.CMD
C:\OP.BAT
C:\P3R1UD.EXE
C:\TGTIGHG.CMD
C:\WKCAY8U.CMD
C:\X1DG.EXE
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-29 03:09 . 2008-07-29 03:09 <DIR> d-------- C:\fsaua.data
2008-07-27 02:36 . 2008-07-27 02:36 <DIR> d-------- C:\Program Files\Avira
2008-07-27 02:36 . 2008-07-27 02:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-25 02:12 . 2008-07-25 02:12 <DIR> d-------- C:\VundoFix Backups
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-25 02:03 . 2008-07-25 02:03 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2008-07-25 01:58 . 2008-07-25 01:58 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 01:31 . 2008-07-25 01:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-07-25 01:31 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 01:31 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 11:08 . 2008-07-24 11:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-24 02:28 . 2008-07-25 01:19 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-07-24 01:52 . 2008-07-24 01:52 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-07-23 18:56 . 2008-07-23 18:56 <DIR> d-------- C:\Deckard
2008-07-23 16:31 . 2007-03-13 03:10 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Sony Corporation
2008-07-23 16:31 . 2007-03-13 03:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Intuit
2008-07-23 16:31 . 2008-07-27 02:44 <DIR> d-------- C:\Documents and Settings\Admin
2008-07-15 00:43 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-15 00:43 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-07-15 00:43 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-15 00:43 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-15 00:43 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-07-14 23:39 . 2006-03-15 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_864.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_862.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,594 --a------ C:\WINDOWS\system32\c_720.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_708.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\C_28596.NLS
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10021.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10005.nls
2008-06-28 10:44 . 2006-03-15 08:00 66,082 --a------ C:\WINDOWS\system32\c_10004.nls
2008-06-26 20:59 . 2008-07-09 23:31 <DIR> d-------- C:\Program Files\Feudalism_at
2008-06-20 17:06 . 2008-06-25 15:07 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-06-20 13:41 . 2008-06-20 13:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 06:44 . 2008-06-20 06:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-14 18:18 . 2008-06-14 22:31 <DIR> d-------- C:\Program Files\The Basketball IntelliGym
2008-06-14 18:17 . 2008-06-14 22:31 17,408 --a------ C:\psapi.dll
2008-06-11 05:52 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:52 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 09:56 . 2008-03-04 08:29 327,680 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll
2008-06-10 09:56 . 2008-03-04 08:25 98,304 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll
2008-06-10 09:56 . 2007-12-03 11:36 25,600 --a------ C:\WINDOWS\system32\TwcToolInstDll.dll
2008-06-04 00:35 . 2008-06-04 00:55 762 --a------ C:\WINDOWS\eReg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-29 07:07 --------- d-----w C:\Program Files\Sony
2008-07-29 07:06 --------- d-----w C:\Program Files\Viewpoint
2008-07-29 07:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-25 05:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-25 05:51 --------- d-----w C:\Program Files\Google
2008-07-24 06:48 --------- d-----w C:\Program Files\Trend Micro
2008-07-23 23:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 04:10 --------- d-----w C:\Program Files\Yahoo!
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-02 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-26_ 1.54.34.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 19:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 19:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 20:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 19:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2008-05-09 17:15:51 45,376 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 22:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 19:03:55 75,072 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 14:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
+ 2008-07-28 04:46:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 19:11 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-26 10:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 20:26]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 22:32]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-07-14 23:10]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 20:23]

*Newly Created Service* - CATCHME
*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER
*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 22:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-02 21:11:03 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-10-02 21:08:20 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-03-30 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 02:41:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-30 2:42:48
ComboFix-quarantined-files.txt 2008-07-30 06:42:29
ComboFix2.txt 2008-07-27 05:48:06
ComboFix3.txt 2008-07-26 05:54:54

Pre-Run: 56,283,213,824 bytes free
Post-Run: 56,393,617,408 bytes free

185 --- E O F --- 2008-07-27 06:51:01

[SequelPrequel]

Deckard's System Scanner v20071014.68
Run by Admin on 2008-07-30 02:44:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:34 AM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 8078 bytes

-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-07-30 02:41:39 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-29 19:26:03 0 d-------- C:\Documents and Settings\Admin\Application Data\Sun
2008-07-29 03:09:40 0 d-------- C:\fsaua.data
2008-07-27 02:44:47 0 dr-h----- C:\Documents and Settings\Admin\Recent
2008-07-27 02:36:14 0 d-------- C:\Program Files\Avira
2008-07-27 02:36:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-26 01:42:53 0 d-------- C:\cmdcons
2008-07-26 01:41:41 68096 --a------ C:\WINDOWS\zip.exe
2008-07-26 01:41:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-26 01:41:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-26 01:41:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-26 01:41:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-26 01:41:41 98816 --a------ C:\WINDOWS\sed.exe
2008-07-26 01:41:41 80412 --a------ C:\WINDOWS\grep.exe
2008-07-26 01:41:41 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 02:12:06 0 d-------- C:\VundoFix Backups
2008-07-25 02:03:28 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-25 02:03:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-25 02:03:09 0 d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2008-07-25 01:58:48 0 dr-h----- C:\Documents and Settings\Admin\Application Data\yahoo!
2008-07-25 01:57:51 0 d-------- C:\Documents and Settings\Admin\Application Data\Real
2008-07-25 01:49:41 0 d-------- C:\Documents and Settings\Admin\Application Data\Google
2008-07-25 01:46:16 0 d-------- C:\Program Files\msn gaming zone
2008-07-25 01:31:57 0 d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-07-25 01:31:45 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 01:31:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 11:08:22 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-24 02:28:01 0 d-------- C:\Program Files\RogueRemover FREE
2008-07-24 02:21:29 0 d-------- C:\WINDOWS\pss
2008-07-24 02:17:29 0 d-------- C:\Documents and Settings\Admin\Application Data\Adobe
2008-07-23 16:31:33 0 d-------- C:\Documents and Settings\Admin\Application Data\Intuit
2008-07-23 16:31:33 0 d-------- C:\Documents and Settings\Admin\Application Data\Identities
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\Templates
2008-07-23 16:31:32 0 dr------- C:\Documents and Settings\Admin\Start Menu
2008-07-23 16:31:32 0 dr-h----- C:\Documents and Settings\Admin\SendTo
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\PrintHood
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\NetHood
2008-07-23 16:31:32 0 dr------- C:\Documents and Settings\Admin\My Documents
2008-07-23 16:31:32 0 d--h----- C:\Documents and Settings\Admin\Local Settings
2008-07-23 16:31:32 0 dr------- C:\Documents and Settings\Admin\Favorites
2008-07-23 16:31:32 0 d-------- C:\Documents and Settings\Admin\Desktop
2008-07-23 16:31:32 0 d--hs---- C:\Documents and Settings\Admin\Cookies
2008-07-23 16:31:32 0 dr-h----- C:\Documents and Settings\Admin\Application Data
2008-07-23 16:31:32 0 d-------- C:\Documents and Settings\Admin\Application Data\Sony Corporation
2008-07-23 16:31:32 0 d-------- C:\Documents and Settings\Admin\Application Data\Macromedia
2008-07-23 16:31:31 1572864 --ah----- C:\Documents and Settings\Admin\NTUSER.DAT
2008-07-15 00:43:13 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-15 00:43:12 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-15 00:43:12 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-07-15 00:43:11 153088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-07-15 00:43:11 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-15 00:16:48 0 d--hs---- C:\WINDOWS\CSC


-- Find3M Report ---------------------------------------------------------------

2008-07-30 02:41:07 0 d-------- C:\Program Files\Common Files
2008-07-29 03:07:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-29 03:07:19 0 d-------- C:\Program Files\Sony
2008-07-29 03:06:13 0 d-------- C:\Program Files\Viewpoint
2008-07-29 03:04:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-25 01:55:22 0 d-------- C:\Program Files\Windows Live Toolbar
2008-07-25 01:51:19 0 d-------- C:\Program Files\Google
2008-07-24 02:48:59 0 d-------- C:\Program Files\Trend Micro
2008-07-23 19:31:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 00:10:32 0 d-------- C:\Program Files\Yahoo!
2008-07-09 23:31:28 0 d-------- C:\Program Files\Feudalism_at
2008-06-14 22:31:33 0 d-------- C:\Program Files\The Basketball IntelliGym
2008-06-14 22:31:25 17408 --a------ C:\psapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 00:55:17 762 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/15/2006 08:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 06/20/2006 07:11 PM 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

*Newly Created Service* - CATCHME
*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER
*Newly Created Service* - SSMDRV



-- End of Deckard's System Scanner: finished at 2008-07-30 02:44:52 ------------