Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Is the Vundo virus still on laptop?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Is the Vundo virus still on laptop?

Unread postby Miker » July 26th, 2008, 7:16 am

Last week I ran a full Norton scan of my son's Acer laptop and found 15 copies of Vundo and VundoB plus an infostealer. Another full scan found 2 copies of Vundo. Then I ran the Norton Vundo removal tool twice, the second time in safe mode, and both times got "The log could not be created. Trojan Vundo has not ben found on your computer". A full Norton scan also found nothing. Later on advice from the PC Advisor Helproom forum I downloaded Vundo Fix onto my own PC and copied it across to the laptop by CD. It found 7 copies of Vundo. I also ran VirtumundoBegone which crashed with a blue screen. These runs were done with system restore turned off.
I was also advised by the Helproom to run HiJackThis. Instead I ran EasySpyremover being confused by the online ad and was advised that I shouldn't have done that.
I should add that after running the above software, on loading some of the users I got a message "Error loading C\Windows\System32\ddabc.dll ...could not be found". I've also had dueqshqf.dll which when went away, or was masked by the other one. The affected users seemed to run OK. Subsequently I deleted and reset up the affected users and have not had any repeat of the message.
Helproom have advised me to run HiJackThis and send you the log which is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52:07, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\IRReceive.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\ifcrkcuk.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: (no name) - {6C0A4F2F-6A2B-41BD-B92F-CE33A8E03C1E} - C:\Documents and Settings\DAVID\Local Settings\Temporary Internet Files\Content.IE5\6JK7A583\3077ahntdksr[1].dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8B9743C1-9AB4-41A4-8AC7-B23AA84E58C0} - C:\WINDOWS\system32\ddcApNDU.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {199d8100-bc29-fc0b-cd74-132c2e04d96d} - {d69d40e2-c231-47dc-b0cf-92cb0018d991} - C:\WINDOWS\system32\jgpztz.dll
O2 - BHO: (no name) - {D758C006-6F2B-4FBB-834D-609BD6FC7078} - C:\WINDOWS\system32\ddabc.dll (file missing)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [1d0f117a] rundll32.exe "C:\WINDOWS\system32\gmrgocyw.dll",b
O4 - HKLM\..\Run: [IRReceive] C:\WINDOWS\system32\IRReceive.exe
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [BM1e3c22e6] Rundll32.exe "C:\WINDOWS\system32\tpbxafxt.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?4082c65fcdde43018626f68d2c7630c1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?4082c65fcdde43018626f68d2c7630c1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b57176.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0044600.dat
O20 - Winlogon Notify: cbxxxxy - cbxxxxy.dll (file missing)
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10119 bytes
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am
Advertisement
Register to Remove

Re: Is the Vundo virus still on laptop?

Unread postby random/random » July 26th, 2008, 7:51 am

You are running a P2P filesharing programme.
  • Many of these programmes come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.
Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

My recommendation is you uninstall all P2P programs

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Is the Vundo virus still on laptop?

Unread postby Miker » July 27th, 2008, 5:14 am

I thought that I had better come back with a few questions before I run combofix. The Acer laptop dos not have a windows recovery disc as such. Instead there is a built in Acer eRecovery management system. On delivery of the laptop I took a backup of various files as insructed which I still have. The recovery instructions are on a 111 page pdf file on the laptop which I have been unable to copy onto a CD. I assume that I will be able to get a copy on the internet if required but have not found it as yet. I will be running the infected laptop offline as I d not have a wireless connection at my own home. The laptop normally resides at my son's some distance away.

I have downloaded combofix onto a CD. Will it be OK to run it offline on the laptop? Reading the instructions, I take it that I should delete Norton and turn off the Windows firewall. I didn't do this for any of the previous runs. Should I turn off the system recovery mode?

I have been unable to find any P2P programs that I recognise. They would have been used by the main user, my eldest grandson. He is into Runescape. There is something called gemmaster mystic.

Thank you for your help

Michael
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am

Re: Is the Vundo virus still on laptop?

Unread postby random/random » July 27th, 2008, 6:57 am

The Acer laptop dos not have a windows recovery disc as such. Instead there is a built in Acer eRecovery management system


You still need to install the recovery console. Just follow the instruction after it says If you use Windows XP and do not have the Windows CD.
I have downloaded combofix onto a CD. Will it be OK to run it offline on the laptop?


Yes, it will run fine offline

Reading the instructions, I take it that I should delete Norton and turn off the Windows firewall.


You need to disable Norton, not delete. You don't need to do anything to the windows firewall, it won't interfere.
Should I turn off the system recovery mode?


No

I have been unable to find any P2P programs that I recognise. They would have been used by the main user, my eldest grandson. He is into Runescape. There is something called gemmaster mystic.


I see limewire installed.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Is the Vundo virus still on laptop?

Unread postby Miker » July 27th, 2008, 2:00 pm

Sorry to come back again but I have poked around Norton internet security 2008 but can't find a way of disabling it, as I could with previous versions. I am happy to delete it and reinstall later. The laptop will not be used online in the interim as the family are on a two week holiday leaving me to attempt to get the laptop up and running again.
I could not find Limeware in the Remove programs screen. Could it have gone when I deleted my grandson's user? I have deleted all references to it and run a search looking for Limeware, which came back with nothing found.
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am

Re: Is the Vundo virus still on laptop?

Unread postby random/random » July 27th, 2008, 3:02 pm

It's possible that Limewire got removed. If you can't see how to disable Norton, you can just skip disabling it.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Is the Vundo virus still on laptop?

Unread postby Miker » July 28th, 2008, 12:26 pm

Reading the ComboFix instructions about windows recovery, it looks as though I need to have the laptop online to download from microsoft. I had planned to run it offline via a CD copy. As I haven't a wireless link at home, I will have to visit my son's house which I will not be able to do before tomorrow or Wednesday. I will come back when I am able to run Combofix.
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am

Re: Is the Vundo virus still on laptop?

Unread postby random/random » July 28th, 2008, 4:14 pm

You should be able to download the file and then transfer it to the infected computer.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Is the Vundo virus still on laptop?

Unread postby Miker » July 29th, 2008, 11:26 am

I'm sorry but this is starting to flummox me. I assume that prior to running ComboFix I should be installing a Windows recovery console where I do not a Windows CD (other than the Acer eRecovery stuff mentioned earlier). I've looked in http://support.microsoft.com/kb/310994 and under downloads it says that a floppy disk reader is required. Should I just ignore this and download onto a CD for transfer to the laptop, and assume that ComboFix will sort it all out? There is information about downloading Windows XP Update SP3 on CD but this does not seem to me to be what is wanted.
I should add that my desktop is running under Vista.
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am

Re: Is the Vundo virus still on laptop?

Unread postby random/random » July 29th, 2008, 3:59 pm

Should I just ignore this and download onto a CD for transfer to the laptop, and assume that ComboFix will sort it all out?


Yes, that's correct.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Is the Vundo virus still on laptop?

Unread postby Miker » July 30th, 2008, 7:52 am

ComboFix log below:
ComboFix 08-07-26.1 - DAVID 2008-07-30 11:16:38.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT 1:00]
Running from: C:\Documents and Settings\DAVID\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DAVID\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\DAVID\Application Data\ShoppingReport
C:\Documents and Settings\DAVID\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\DAVID\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\DAVID\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\DAVID\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\DAVID\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\DAVID\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\DAVID\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
C:\WINDOWS\BM1e3c22e6.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aatyfssr.ini
C:\WINDOWS\system32\abbsvunx.dll
C:\WINDOWS\system32\abmhtl.dll
C:\WINDOWS\system32\abtoamvp.ini
C:\WINDOWS\system32\abtoamvp.ini2
C:\WINDOWS\system32\abtoamvp.tmp
C:\WINDOWS\system32\addgwura.dll
C:\WINDOWS\system32\aeasdpwb.ini
C:\WINDOWS\system32\agagrqio.ini
C:\WINDOWS\system32\agjjcigq.ini
C:\WINDOWS\system32\agsgemub.dll
C:\WINDOWS\system32\ahbnmfpm.ini
C:\WINDOWS\system32\aibmcgex.dll
C:\WINDOWS\system32\aiobnrfx.ini
C:\WINDOWS\system32\ajcevhpl.ini
C:\WINDOWS\system32\ajncnswj.ini
C:\WINDOWS\system32\amavpmqf.ini
C:\WINDOWS\system32\aotprvow.dll
C:\WINDOWS\system32\apmnjcfa.ini
C:\WINDOWS\system32\aqjner.dll
C:\WINDOWS\system32\arsybdqu.ini
C:\WINDOWS\system32\atwlmgtc.dll
C:\WINDOWS\system32\audnvhlb.ini
C:\WINDOWS\system32\aufcdjvq.dll
C:\WINDOWS\system32\aurisbgh.ini
C:\WINDOWS\system32\avdfchmd.dll
C:\WINDOWS\system32\axholb.dll
C:\WINDOWS\system32\axtatkfn.dll
C:\WINDOWS\system32\aybonkfm.ini
C:\WINDOWS\system32\aymberpp.ini
C:\WINDOWS\system32\aysibqfw.ini
C:\WINDOWS\system32\ayussfsy.ini
C:\WINDOWS\system32\bbesur.dll
C:\WINDOWS\system32\bctrrhak.ini
C:\WINDOWS\system32\beiwjbxs.dll
C:\WINDOWS\system32\bffpxcnh.ini
C:\WINDOWS\system32\bfhjicox.ini
C:\WINDOWS\system32\bhbgtgfa.dll
C:\WINDOWS\system32\bjedmtnv.ini
C:\WINDOWS\system32\bmbdweuc.dll
C:\WINDOWS\system32\bnfsibmp.ini
C:\WINDOWS\system32\bqpuijff.dll
C:\WINDOWS\system32\bsdcppoi.dll
C:\WINDOWS\system32\btqcmrwk.ini
C:\WINDOWS\system32\btuxrmyr.ini
C:\WINDOWS\system32\butorbie.ini
C:\WINDOWS\system32\bvkykdim.ini
C:\WINDOWS\system32\bvlcmulm.ini
C:\WINDOWS\system32\bxnreyst.dll
C:\WINDOWS\system32\bypmoqhm.dll
C:\WINDOWS\system32\catrbddw.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\CeMnmnmp.ini
C:\WINDOWS\system32\CeMnmnmp.ini2
C:\WINDOWS\system32\chvnhfkt.ini
C:\WINDOWS\system32\cibpybuq.ini
C:\WINDOWS\system32\cinubclm.ini
C:\WINDOWS\system32\cixoctmd.ini
C:\WINDOWS\system32\cjfhedfm.ini
C:\WINDOWS\system32\cmfcmtxa.ini
C:\WINDOWS\system32\cmouhorf.ini
C:\WINDOWS\system32\cmulassp.ini
C:\WINDOWS\system32\CMWFNXyb.ini
C:\WINDOWS\system32\CMWFNXyb.ini2
C:\WINDOWS\system32\cncllwyv.ini
C:\WINDOWS\system32\cpnmtptu.dll
C:\WINDOWS\system32\cprobmgw.ini
C:\WINDOWS\system32\cqulpyyp.ini
C:\WINDOWS\system32\csxtgxoa.dll
C:\WINDOWS\system32\ctebtwse.ini
C:\WINDOWS\system32\cxhmjgkm.ini
C:\WINDOWS\system32\damcivkb.dll
C:\WINDOWS\system32\damlhgjb.ini
C:\WINDOWS\system32\davtghcq.ini
C:\WINDOWS\system32\dczcny.dll
C:\WINDOWS\system32\dgfvjesv.ini
C:\WINDOWS\system32\dhotpfcr.dll
C:\WINDOWS\system32\diasmbrw.ini
C:\WINDOWS\system32\djvrelbf.dll
C:\WINDOWS\system32\dkafqfry.dll
C:\WINDOWS\system32\dkpkwitu.ini
C:\WINDOWS\system32\dLkUwGgh.ini
C:\WINDOWS\system32\dLkUwGgh.ini2
C:\WINDOWS\system32\dmnhgypq.ini
C:\WINDOWS\system32\dngwbhah.ini
C:\WINDOWS\system32\dnudin.dll
C:\WINDOWS\system32\dosnjljv.dll
C:\WINDOWS\system32\dpmqyoxq.dll
C:\WINDOWS\system32\dqgbmuha.dll
C:\WINDOWS\system32\dqpixgwx.dll
C:\WINDOWS\system32\drcvfejd.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\dspibkjn.ini
C:\WINDOWS\system32\dtpdjqaw.ini
C:\WINDOWS\system32\dunfgamg.ini
C:\WINDOWS\system32\duqeshbe.ini
C:\WINDOWS\system32\dvarssgj.dll
C:\WINDOWS\system32\dxwuolnb.dll
C:\WINDOWS\system32\dydvmonm.dll
C:\WINDOWS\system32\eaupjvuv.dll
C:\WINDOWS\system32\ebwpnmpl.ini
C:\WINDOWS\system32\edspsluh.ini
C:\WINDOWS\system32\eghbkmjc.ini
C:\WINDOWS\system32\eiliosxm.dll
C:\WINDOWS\system32\ekbobvae.ini
C:\WINDOWS\system32\emensjcd.ini
C:\WINDOWS\system32\eoftcdol.ini
C:\WINDOWS\system32\eoftcdol.ini2
C:\WINDOWS\system32\eoftcdol.tmp
C:\WINDOWS\system32\eOXIknmp.ini
C:\WINDOWS\system32\eOXIknmp.ini2
C:\WINDOWS\system32\epbwqfjd.dll
C:\WINDOWS\system32\epxhlpia.ini
C:\WINDOWS\system32\eqmqgqba.ini
C:\WINDOWS\system32\ervalgnl.dll
C:\WINDOWS\system32\eslovobi.ini
C:\WINDOWS\system32\evipvdhg.dll
C:\WINDOWS\system32\exftshsa.ini
C:\WINDOWS\system32\exqgvucg.ini
C:\WINDOWS\system32\faateult.dll
C:\WINDOWS\system32\fadgpioj.dll
C:\WINDOWS\system32\fafwjrre.ini
C:\WINDOWS\system32\fcpnjyln.ini
C:\WINDOWS\system32\fdilpdnh.ini
C:\WINDOWS\system32\fdminvfr.dll
C:\WINDOWS\system32\fenjdwev.ini
C:\WINDOWS\system32\ffgsabht.dll
C:\WINDOWS\system32\FgfggMoq.ini
C:\WINDOWS\system32\FgfggMoq.ini2
C:\WINDOWS\system32\fhrtuptf.dll
C:\WINDOWS\system32\fhvysfkw.ini
C:\WINDOWS\system32\fhwrgjdw.dll
C:\WINDOWS\system32\fidugiuj.ini
C:\WINDOWS\system32\fmgukchc.ini
C:\WINDOWS\system32\fnoexujv.dll
C:\WINDOWS\system32\foysfbbg.ini
C:\WINDOWS\system32\fpllmcux.dll
C:\WINDOWS\system32\fpnlldxx.ini
C:\WINDOWS\system32\frpoashw.ini
C:\WINDOWS\system32\ftfojweu.ini
C:\WINDOWS\system32\fvwcmssq.dll
C:\WINDOWS\system32\fwaqpnvn.ini
C:\WINDOWS\system32\fwegdwpf.ini
C:\WINDOWS\system32\fxuihdpm.dll
C:\WINDOWS\system32\fxulwddv.ini
C:\WINDOWS\system32\gbpfssil.dll
C:\WINDOWS\system32\gegjijmr.dll
C:\WINDOWS\system32\gfwqtbkk.ini
C:\WINDOWS\system32\gixodrkd.ini
C:\WINDOWS\system32\giywlewd.ini
C:\WINDOWS\system32\gjdgpgee.dll
C:\WINDOWS\system32\gknswquw.dll
C:\WINDOWS\system32\gkrbqcti.ini
C:\WINDOWS\system32\glaowjox.dll
C:\WINDOWS\system32\gmrgocyw.dll
C:\WINDOWS\system32\gnbtncwp.ini
C:\WINDOWS\system32\gnefywkb.dll
C:\WINDOWS\system32\gnfiuq.dll
C:\WINDOWS\system32\goibgacj.dll
C:\WINDOWS\system32\gpelfixm.ini
C:\WINDOWS\system32\gppjigox.ini
C:\WINDOWS\system32\gsokqmmw.dll
C:\WINDOWS\system32\guwhwljy.ini
C:\WINDOWS\system32\gwqhbkcn.dll
C:\WINDOWS\system32\hacmbxvu.ini
C:\WINDOWS\system32\hamghpue.ini
C:\WINDOWS\system32\haophw.dll
C:\WINDOWS\system32\hcwtuvwq.dll
C:\WINDOWS\system32\hdbhvokh.ini
C:\WINDOWS\system32\hggfqugv.ini
C:\WINDOWS\system32\hhuksrux.dll
C:\WINDOWS\system32\hihvnqos.dll
C:\WINDOWS\system32\hjydltlr.ini
C:\WINDOWS\system32\hkjrvppu.ini
C:\WINDOWS\system32\hncxpffb.dll
C:\WINDOWS\system32\hNTEeMoq.ini
C:\WINDOWS\system32\hNTEeMoq.ini2
C:\WINDOWS\system32\HOXbefii.ini
C:\WINDOWS\system32\HOXbefii.ini2
C:\WINDOWS\system32\hqgxqydm.ini
C:\WINDOWS\system32\hqltpaqx.ini
C:\WINDOWS\system32\hqqhqwlp.dll
C:\WINDOWS\system32\hskuqxth.dll
C:\WINDOWS\system32\hteeiseo.dll
C:\WINDOWS\system32\htvraixl.ini
C:\WINDOWS\system32\hvfbtcun.dll
C:\WINDOWS\system32\hvtkglkc.ini
C:\WINDOWS\system32\iastktvd.ini
C:\WINDOWS\system32\icpoedst.dll
C:\WINDOWS\system32\icslbe.dll
C:\WINDOWS\system32\igiuiskl.ini
C:\WINDOWS\system32\ihtnaynv.ini
C:\WINDOWS\system32\ijafqncq.dll
C:\WINDOWS\system32\ijsdqiit.dll
C:\WINDOWS\system32\ikapscnp.ini
C:\WINDOWS\system32\iklfncsn.dll
C:\WINDOWS\system32\inivacax.ini
C:\WINDOWS\system32\ionxdsfv.ini
C:\WINDOWS\system32\ipasfbqo.ini
C:\WINDOWS\system32\ipqjgcjn.ini
C:\WINDOWS\system32\iqllhwwf.dll
C:\WINDOWS\system32\iuqvjjlv.ini
C:\WINDOWS\system32\ixhineto.dll
C:\WINDOWS\system32\iygeyigq.dll
C:\WINDOWS\system32\iylkxeop.ini
C:\WINDOWS\system32\jabrcgci.dll
C:\WINDOWS\system32\jagfffmw.ini
C:\WINDOWS\system32\jbayiaug.dll
C:\WINDOWS\system32\jbcueqvx.dll
C:\WINDOWS\system32\jcndxvsn.dll
C:\WINDOWS\system32\jctmgyct.dll
C:\WINDOWS\system32\jdqhgblq.ini
C:\WINDOWS\system32\jedvstsu.ini
C:\WINDOWS\system32\jejjmpcq.ini
C:\WINDOWS\system32\jfkhamcb.ini
C:\WINDOWS\system32\jgpztz.dll
C:\WINDOWS\system32\jhvstcof.ini
C:\WINDOWS\system32\jhysxbfn.ini
C:\WINDOWS\system32\jiboyxls.dll
C:\WINDOWS\system32\jkbdcovy.ini
C:\WINDOWS\system32\jkkkql.dll
C:\WINDOWS\system32\jnkkirax.ini
C:\WINDOWS\system32\jpbxhrql.ini
C:\WINDOWS\system32\jptejuxq.ini
C:\WINDOWS\system32\jtbrdwcw.dll
C:\WINDOWS\system32\juhksfco.ini
C:\WINDOWS\system32\juoqajat.dll
C:\WINDOWS\system32\jwfewlup.ini
C:\WINDOWS\system32\jyqpkfsx.ini
C:\WINDOWS\system32\kewuuytr.dll
C:\WINDOWS\system32\kfdiirvk.dll
C:\WINDOWS\system32\kfxtfloc.dll
C:\WINDOWS\system32\khvijpuu.dll
C:\WINDOWS\system32\kiiemsbs.ini
C:\WINDOWS\system32\kjbektgf.ini
C:\WINDOWS\system32\kkkrad.dll
C:\WINDOWS\system32\kllgmcpo.dll
C:\WINDOWS\system32\kmypeulr.ini
C:\WINDOWS\system32\knivgghy.ini
C:\WINDOWS\system32\koekbigt.ini
C:\WINDOWS\system32\kpvwnoyh.ini
C:\WINDOWS\system32\kqdiydds.ini
C:\WINDOWS\system32\kretvehi.ini
C:\WINDOWS\system32\krmlhmlj.ini
C:\WINDOWS\system32\ktaqohoi.ini
C:\WINDOWS\system32\ktdfdhuk.dll
C:\WINDOWS\system32\ktmggfcq.ini
C:\WINDOWS\system32\kujydytp.dll
C:\WINDOWS\system32\kvdeccfi.ini
C:\WINDOWS\system32\kwbmpqkl.ini
C:\WINDOWS\system32\kwuwusev.ini
C:\WINDOWS\system32\kxjanqeg.ini
C:\WINDOWS\system32\kycgdbdq.ini
C:\WINDOWS\system32\lahkxrlc.dll
C:\WINDOWS\system32\levubwtd.dll
C:\WINDOWS\system32\lfpitswl.dll
C:\WINDOWS\system32\lfspajia.ini
C:\WINDOWS\system32\lgmbahct.ini
C:\WINDOWS\system32\lguspmvw.dll
C:\WINDOWS\system32\lhcarybi.dll
C:\WINDOWS\system32\lhfarefo.dll
C:\WINDOWS\system32\lhonmlgn.ini
C:\WINDOWS\system32\ljfexdrq.dll
C:\WINDOWS\system32\ljwqwdoq.dll
C:\WINDOWS\system32\lkjvdmwb.dll
C:\WINDOWS\system32\lkofqpjk.dll
C:\WINDOWS\system32\lmbcgqbi.dll
C:\WINDOWS\system32\LnqsYxyb.ini
C:\WINDOWS\system32\LnqsYxyb.ini2
C:\WINDOWS\system32\lqevfogm.ini
C:\WINDOWS\system32\lqjpjltl.ini
C:\WINDOWS\system32\lqufsyvo.dll
C:\WINDOWS\system32\lrvytlrr.ini
C:\WINDOWS\system32\lsagiywm.dll
C:\WINDOWS\system32\lswupltr.dll
C:\WINDOWS\system32\ltnewtge.ini
C:\WINDOWS\system32\ltrtmmat.ini
C:\WINDOWS\system32\lucifrhd.ini
C:\WINDOWS\system32\lufcvagf.ini
C:\WINDOWS\system32\lusggggo.dll
C:\WINDOWS\system32\lvklqesh.dll
C:\WINDOWS\system32\lvrvjlip.dll
C:\WINDOWS\system32\mammtdig.ini
C:\WINDOWS\system32\mbloydeu.ini
C:\WINDOWS\system32\mbnwvpnk.dll
C:\WINDOWS\system32\mbyamdip.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdswtwie.dll
C:\WINDOWS\system32\meiuhvsy.dll
C:\WINDOWS\system32\metdtkqq.ini
C:\WINDOWS\system32\mgwufcwu.ini
C:\WINDOWS\system32\mhjoarlo.ini
C:\WINDOWS\system32\mijgigah.ini
C:\WINDOWS\system32\mikgiqpo.dll
C:\WINDOWS\system32\miokdnqw.ini
C:\WINDOWS\system32\misoxhlc.ini
C:\WINDOWS\system32\mitwtfip.dll
C:\WINDOWS\system32\mixtdgqw.dll
C:\WINDOWS\system32\mkecemup.ini
C:\WINDOWS\system32\mnognbov.dll
C:\WINDOWS\system32\mpjeyp.dll
C:\WINDOWS\system32\mrdwyifp.dll
C:\WINDOWS\system32\mrvwqtbt.ini
C:\WINDOWS\system32\msjohjtv.ini
C:\WINDOWS\system32\mtfbqdik.dll
C:\WINDOWS\system32\mwpghkaa.dll
C:\WINDOWS\system32\mwqdcpck.ini
C:\WINDOWS\system32\myaioids.dll
C:\WINDOWS\system32\myrusq.dll
C:\WINDOWS\system32\myukgpkb.dll
C:\WINDOWS\system32\narbpduc.ini
C:\WINDOWS\system32\ndjywnjo.ini
C:\WINDOWS\system32\ndtkcsux.dll
C:\WINDOWS\system32\nffgguqq.ini
C:\WINDOWS\system32\nhnoykyw.ini
C:\WINDOWS\system32\nhwwgbrd.dll
C:\WINDOWS\system32\nigqjhiw.dll
C:\WINDOWS\system32\njxnrfta.ini
C:\WINDOWS\system32\nlhykuhw.dll
C:\WINDOWS\system32\nmsvsbvx.ini
C:\WINDOWS\system32\nnqBIkkj.ini
C:\WINDOWS\system32\nnqBIkkj.ini2
C:\WINDOWS\system32\noeepebv.dll
C:\WINDOWS\system32\ntyjcdyd.dll
C:\WINDOWS\system32\nvskfdup.dll
C:\WINDOWS\system32\nxhmwcbl.ini
C:\WINDOWS\system32\nycrgv.dll
C:\WINDOWS\system32\nyofqxfi.dll
C:\WINDOWS\system32\oaxmrect.ini
C:\WINDOWS\system32\obtuhpjf.dll
C:\WINDOWS\system32\obvgrima.ini
C:\WINDOWS\system32\odnvjwrx.ini
C:\WINDOWS\system32\odsoqacf.ini
C:\WINDOWS\system32\oealrufo.dll
C:\WINDOWS\system32\ofxujpgu.dll
C:\WINDOWS\system32\ogexqlap.dll
C:\WINDOWS\system32\ogkhjogy.dll
C:\WINDOWS\system32\oguvmrnj.ini
C:\WINDOWS\system32\oikbhopb.dll
C:\WINDOWS\system32\oilswhpq.dll
C:\WINDOWS\system32\olqqlcox.dll
C:\WINDOWS\system32\omsbmarb.ini
C:\WINDOWS\system32\ooodnllg.dll
C:\WINDOWS\system32\oqstryfk.ini
C:\WINDOWS\system32\oschkdeg.ini
C:\WINDOWS\system32\osmdtlir.dll
C:\WINDOWS\system32\otiaobgq.ini
C:\WINDOWS\system32\otjmveye.ini
C:\WINDOWS\system32\oucivrvk.dll
C:\WINDOWS\system32\ouguwvxh.ini
C:\WINDOWS\system32\OVEOnqru.ini
C:\WINDOWS\system32\OVEOnqru.ini2
C:\WINDOWS\system32\oysjkmex.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\papbsyvd.dll
C:\WINDOWS\system32\pbisrndq.ini
C:\WINDOWS\system32\pcofdxjb.dll
C:\WINDOWS\system32\pfkeweko.ini
C:\WINDOWS\system32\phpucsae.ini
C:\WINDOWS\system32\pifxfior.dll
C:\WINDOWS\system32\pisbebua.ini
C:\WINDOWS\system32\pjhkbouw.dll
C:\WINDOWS\system32\pjmgfoek.dll
C:\WINDOWS\system32\pkttmqoa.ini
C:\WINDOWS\system32\pmbojdgu.ini
C:\WINDOWS\system32\pmvchwnd.ini
C:\WINDOWS\system32\pnjatygu.dll
C:\WINDOWS\system32\pqbaxclr.dll
C:\WINDOWS\system32\pqxlnvhg.ini
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\pubghwgi.dll
C:\WINDOWS\system32\puobsukm.ini
C:\WINDOWS\system32\puqqrlpj.dll
C:\WINDOWS\system32\purpdmst.ini
C:\WINDOWS\system32\pvapmtbh.dll
C:\WINDOWS\system32\pwjtrnou.ini
C:\WINDOWS\system32\pxjlwnkw.dll
C:\WINDOWS\system32\pxqdyavn.ini
C:\WINDOWS\system32\pxtejf.dll
C:\WINDOWS\system32\pxwpbmxa.ini
C:\WINDOWS\system32\pykpnalt.ini
C:\WINDOWS\system32\qapswldt.ini
C:\WINDOWS\system32\qcpjienr.ini
C:\WINDOWS\system32\qfywjrxc.ini
C:\WINDOWS\system32\qicogkfj.ini
C:\WINDOWS\system32\qikqanyt.ini
C:\WINDOWS\system32\qitflxkl.ini
C:\WINDOWS\system32\qjxvcjuu.ini
C:\WINDOWS\system32\qotsotjp.ini
C:\WINDOWS\system32\qpuosktv.dll
C:\WINDOWS\system32\qqowcihy.ini
C:\WINDOWS\system32\qquhdssx.dll
C:\WINDOWS\system32\qrbwjscg.ini
C:\WINDOWS\system32\qricthfw.dll
C:\WINDOWS\system32\qrifmvcx.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qsvwysxg.ini
C:\WINDOWS\system32\qtkbuyny.dll
C:\WINDOWS\system32\qtukcclv.ini
C:\WINDOWS\system32\qvmtticj.ini
C:\WINDOWS\system32\qvqnrvlo.ini
C:\WINDOWS\system32\qxcyfxxr.ini
C:\WINDOWS\system32\rapkhkky.dll
C:\WINDOWS\system32\rbblucfw.ini
C:\WINDOWS\system32\rbwhdmyj.ini
C:\WINDOWS\system32\rckekcuy.dll
C:\WINDOWS\system32\RCMllnpo.ini
C:\WINDOWS\system32\RCMllnpo.ini2
C:\WINDOWS\system32\rdmljdyd.ini
C:\WINDOWS\system32\reuqoqbl.dll
C:\WINDOWS\system32\rjrojgdj.ini
C:\WINDOWS\system32\rkokvjdr.ini
C:\WINDOWS\system32\rqegcged.ini
C:\WINDOWS\system32\rrvptokd.ini
C:\WINDOWS\system32\rshuarmq.dll
C:\WINDOWS\system32\rwejwh.dll
C:\WINDOWS\system32\rxguemca.ini
C:\WINDOWS\system32\rxhafjrk.ini
C:\WINDOWS\system32\rxixiipj.dll
C:\WINDOWS\system32\salrnmpj.dll
C:\WINDOWS\system32\sbwhigrt.ini
C:\WINDOWS\system32\shpylskp.dll
C:\WINDOWS\system32\shyfkosu.dll
C:\WINDOWS\system32\sibmgcjj.ini
C:\WINDOWS\system32\sigfpprh.dll
C:\WINDOWS\system32\sjlgacjf.dll
C:\WINDOWS\system32\slxyobij.ini
C:\WINDOWS\system32\sntqvere.dll
C:\WINDOWS\system32\solxwooy.dll
C:\WINDOWS\system32\sptosthb.ini
C:\WINDOWS\system32\srauheod.ini
C:\WINDOWS\system32\sreqxh.dll
C:\WINDOWS\system32\srfqesqw.ini
C:\WINDOWS\system32\srohsbnk.dll
C:\WINDOWS\system32\sthfddto.ini
C:\WINDOWS\system32\swaccdnm.dll
C:\WINDOWS\system32\swfsbptd.ini
C:\WINDOWS\system32\sxcbluaa.ini
C:\WINDOWS\system32\sxdcve.dll
C:\WINDOWS\system32\SYaIRqss.ini
C:\WINDOWS\system32\SYaIRqss.ini2
C:\WINDOWS\system32\sylauqxe.ini
C:\WINDOWS\system32\tarxxgam.dll
C:\WINDOWS\system32\tavwymjd.ini
C:\WINDOWS\system32\tbkvwngl.ini
C:\WINDOWS\system32\tbrhvwuv.ini
C:\WINDOWS\system32\tcskjrrf.dll
C:\WINDOWS\system32\tcxmwgmk.dll
C:\WINDOWS\system32\tfioprkr.dll
C:\WINDOWS\system32\tgstofvh.ini
C:\WINDOWS\system32\timchfrd.ini
C:\WINDOWS\system32\tisbmdbh.ini
C:\WINDOWS\system32\tjbkavpt.ini
C:\WINDOWS\system32\tjejwmvd.dll
C:\WINDOWS\system32\tkqylrdj.ini
C:\WINDOWS\system32\tlhsxmvh.dll
C:\WINDOWS\system32\tlismbbl.ini
C:\WINDOWS\system32\tlpvvyem.ini
C:\WINDOWS\system32\tpbxafxt.dll
C:\WINDOWS\system32\tqksvpur.ini
C:\WINDOWS\system32\tqqoeftk.ini
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\ttouvcnc.ini
C:\WINDOWS\system32\tuixnqhv.ini
C:\WINDOWS\system32\tyhciaxo.dll
C:\WINDOWS\system32\uadpdcoe.ini
C:\WINDOWS\system32\ubjfjuut.ini
C:\WINDOWS\system32\ucewku.dll
C:\WINDOWS\system32\ucokjlct.ini
C:\WINDOWS\system32\udcbxysx.ini
C:\WINDOWS\system32\UDcJlUtv.ini
C:\WINDOWS\system32\UDcJlUtv.ini2
C:\WINDOWS\system32\ufnvulqh.dll
C:\WINDOWS\system32\ufysguie.dll
C:\WINDOWS\system32\ugklbggn.dll
C:\WINDOWS\system32\uklwfufe.dll
C:\WINDOWS\system32\ukylbmgh.ini
C:\WINDOWS\system32\ulrjjnjd.ini
C:\WINDOWS\system32\umtclrmh.dll
C:\WINDOWS\system32\uniulenc.dll
C:\WINDOWS\system32\unyfkywf.dll
C:\WINDOWS\system32\uokugwbp.ini
C:\WINDOWS\system32\uqurtgeq.ini
C:\WINDOWS\system32\utqnqwwe.ini
C:\WINDOWS\system32\uupatejd.dll
C:\WINDOWS\system32\uwdfriry.dll
C:\WINDOWS\system32\uwxtxiyy.ini
C:\WINDOWS\system32\uxafodmo.ini
C:\WINDOWS\system32\uyncio.dll
C:\WINDOWS\system32\vctmwnia.dll
C:\WINDOWS\system32\VEdfPqss.ini
C:\WINDOWS\system32\VEdfPqss.ini2
C:\WINDOWS\system32\vfbyxhmf.dll
C:\WINDOWS\system32\vgqsjpay.ini
C:\WINDOWS\system32\vgxfrcen.ini
C:\WINDOWS\system32\vkgdjb.dll
C:\WINDOWS\system32\vlelmtjx.ini
C:\WINDOWS\system32\vlqjsoqv.ini
C:\WINDOWS\system32\vnlrhrep.dll
C:\WINDOWS\system32\vrybejhl.dll
C:\WINDOWS\system32\vsdaxsnn.dll
C:\WINDOWS\system32\vssgyjai.dll
C:\WINDOWS\system32\vwaxwado.ini
C:\WINDOWS\system32\vwijxyqr.ini
C:\WINDOWS\system32\vxrebxst.ini
C:\WINDOWS\system32\wadxvnlk.ini
C:\WINDOWS\system32\WaGhRtwa.ini
C:\WINDOWS\system32\WaGhRtwa.ini2
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wbbqlagl.ini
C:\WINDOWS\system32\wefvpfhq.dll
C:\WINDOWS\system32\wgcylrex.dll
C:\WINDOWS\system32\WGfeLRqr.ini
C:\WINDOWS\system32\WGfeLRqr.ini2
C:\WINDOWS\system32\whhgyvdf.dll
C:\WINDOWS\system32\wkjqonid.ini
C:\WINDOWS\system32\wkmuilvh.dll
C:\WINDOWS\system32\wktkrjki.ini
C:\WINDOWS\system32\woerpoka.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wpekulmk.dll
C:\WINDOWS\system32\wssdkvma.dll
C:\WINDOWS\system32\wswmxwxn.ini
C:\WINDOWS\system32\wteglaqp.ini
C:\WINDOWS\system32\wtgrjpcp.dll
C:\WINDOWS\system32\wuuhcstt.dll
C:\WINDOWS\system32\wvphuxja.dll
C:\WINDOWS\system32\wxlnyspn.ini
C:\WINDOWS\system32\wxytgpno.ini
C:\WINDOWS\system32\wycogrmg.ini
C:\WINDOWS\system32\xcpboccv.ini
C:\WINDOWS\system32\xerlycgw.ini
C:\WINDOWS\system32\xfmicbrl.ini
C:\WINDOWS\system32\xftnatmw.dll
C:\WINDOWS\system32\xglfrc.dll
C:\WINDOWS\system32\xhmnxudg.ini
C:\WINDOWS\system32\xhtdpxvg.dll
C:\WINDOWS\system32\xixkmylj.dll
C:\WINDOWS\system32\xjpvydfx.ini
C:\WINDOWS\system32\xkoqcj.dll
C:\WINDOWS\system32\xlkstoqu.ini
C:\WINDOWS\system32\xmbfqjrl.dll
C:\WINDOWS\system32\xmfoaxbx.ini
C:\WINDOWS\system32\xnrwshuv.ini
C:\WINDOWS\system32\xodidgsb.ini
C:\WINDOWS\system32\xottmqxj.ini
C:\WINDOWS\system32\xswrsgip.ini
C:\WINDOWS\system32\xumvfbib.ini
C:\WINDOWS\system32\xvekslcb.dll
C:\WINDOWS\system32\xvslhlfi.ini
C:\WINDOWS\system32\xxfymqdc.ini
C:\WINDOWS\system32\xxqffbly.ini
C:\WINDOWS\system32\yafbbjdv.ini
C:\WINDOWS\system32\yaisvaao.dll
C:\WINDOWS\system32\yfoxdfir.dll
C:\WINDOWS\system32\ygjoxpih.ini
C:\WINDOWS\system32\yhreskrd.dll
C:\WINDOWS\system32\yiyyfdbd.dll
C:\WINDOWS\system32\ykvxujot.dll
C:\WINDOWS\system32\yospwmbl.dll
C:\WINDOWS\system32\yptpxhqy.ini
C:\WINDOWS\system32\yqqxyqvb.ini
C:\WINDOWS\system32\yrmpqeee.dll
C:\WINDOWS\system32\yrwbkabb.ini
C:\WINDOWS\system32\yummfijv.ini
C:\WINDOWS\system32\yvvjodji.dll
C:\WINDOWS\system32\ywoyybmx.dll
C:\WINDOWS\system32\ywxsbshg.ini
C:\WINDOWS\system32\yxtunyfa.dll
C:\WINDOWS\system32\yyoqsltj.dll
C:\WINDOWS\system32\yyvngkcu.dll
C:\WINDOWS\system32\znpyjq.dll
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-30 11:24 . 2008-07-30 11:24 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-07-30 10:37 . 2008-07-30 10:37 <DIR> d--hs---- C:\FOUND.064
2008-07-25 21:47 . 2008-07-25 21:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 17:46 . 2008-07-25 17:46 <DIR> d-------- C:\Program Files\Easy SpyRemover
2008-07-25 16:55 . 2006-08-18 22:50 <DIR> d-------- C:\Documents and Settings\NICOLA\iss
2008-07-25 16:55 . 2008-07-25 16:55 <DIR> d-------- C:\Documents and Settings\NICOLA\Application Data\Symantec
2008-07-25 16:55 . 2008-07-25 16:55 <DIR> d-------- C:\Documents and Settings\NICOLA\Application Data\ArcSoft
2008-07-25 16:55 . 2006-08-18 22:49 <DIR> d-------- C:\Documents and Settings\NICOLA\Application Data\Acer
2008-07-25 16:55 . 2008-07-25 16:55 <DIR> d-------- C:\Documents and Settings\NICOLA
2008-07-25 16:45 . 2008-07-25 16:45 <DIR> d-------- C:\Documents and Settings\MATTHEW\Application Data\Symantec
2008-07-25 16:44 . 2008-07-25 16:45 <DIR> d-------- C:\Documents and Settings\MATTHEW\Application Data\ArcSoft
2008-07-25 16:43 . 2006-08-18 22:50 <DIR> d-------- C:\Documents and Settings\MATTHEW\iss
2008-07-25 16:43 . 2006-08-18 22:49 <DIR> d-------- C:\Documents and Settings\MATTHEW\Application Data\Acer
2008-07-25 16:43 . 2008-07-25 16:43 <DIR> d-------- C:\Documents and Settings\MATTHEW
2008-07-25 16:18 . 2006-08-18 22:50 <DIR> d-------- C:\Documents and Settings\BETH\iss
2008-07-25 16:18 . 2008-07-25 16:18 <DIR> d-------- C:\Documents and Settings\BETH\Application Data\Symantec
2008-07-25 16:18 . 2008-07-25 16:18 <DIR> d-------- C:\Documents and Settings\BETH\Application Data\ArcSoft
2008-07-25 16:18 . 2006-08-18 22:49 <DIR> d-------- C:\Documents and Settings\BETH\Application Data\Acer
2008-07-25 16:18 . 2008-07-25 16:18 <DIR> d-------- C:\Documents and Settings\BETH
2008-07-25 15:58 . 2008-07-25 15:58 <DIR> d-------- C:\Program Files\Access Boss 3
2008-07-25 14:55 . 2006-08-18 21:40 <DIR> d-------- C:\Documents and Settings\BETH(2)\Templates(2)
2008-07-25 14:55 . 2006-08-18 21:40 <DIR> d--h----- C:\Documents and Settings\BETH(2)\Local Settings(2)
2008-07-25 14:55 . 2006-08-18 21:40 <DIR> d--h----- C:\Documents and Settings\BETH(2)\Application Data(2)
2008-07-25 14:55 . 2008-07-25 14:55 <DIR> d---s---- C:\Documents and Settings\BETH(2)
2008-07-25 13:19 . 2006-08-18 21:40 <DIR> d-------- C:\Documents and Settings\Nicola(2)\Templates(2)
2008-07-25 13:19 . 2006-08-18 21:40 <DIR> d-------- C:\Documents and Settings\Nicola(2)\Local Settings(2)
2008-07-25 13:19 . 2006-08-18 21:40 <DIR> d--h----- C:\Documents and Settings\Nicola(2)\Application Data(2)
2008-07-25 13:19 . 2008-07-25 13:19 <DIR> d---s---- C:\Documents and Settings\Nicola(2)
2008-07-25 09:30 . 2008-07-25 09:30 <DIR> d-------- C:\VundoFix Backups
2008-07-23 22:47 . 2008-07-23 22:47 <DIR> d--hs---- C:\FOUND.063
2008-07-23 21:31 . 2008-07-30 10:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-23 21:31 . 2008-07-23 21:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-23 21:30 . 2008-07-23 21:30 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-23 21:29 . 2008-07-23 21:29 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-23 12:28 . 2008-07-23 12:28 <DIR> d--hs---- C:\FOUND.062
2008-07-23 12:21 . 2008-07-23 12:21 <DIR> d-------- C:\Documents and Settings\DAVID\Application Data\ArcSoft
2008-07-23 12:21 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-07-23 12:20 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-23 12:17 . 2008-07-23 12:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-07-23 12:17 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2008-07-23 12:17 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\dllcache\mpe.sys
2008-07-23 12:16 . 2007-03-15 18:51 227,072 -ra------ C:\WINDOWS\system32\drivers\U6000ALL.sys
2008-07-23 12:16 . 2004-08-04 00:56 18,432 --a------ C:\WINDOWS\system32\dllcache\bdaplgin.ax
2008-07-23 12:16 . 2004-08-04 00:56 18,432 --a------ C:\WINDOWS\system32\BdaPlgIn.ax
2008-07-23 12:16 . 2004-08-03 23:10 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2008-07-23 12:16 . 2004-08-03 23:10 11,776 --a------ C:\WINDOWS\system32\dllcache\bdasup.sys
2008-07-23 12:15 . 2008-07-23 12:15 <DIR> d-------- C:\Program Files\Mydrv
2008-07-22 23:12 . 2008-07-22 23:12 <DIR> d--hs---- C:\FOUND.061
2008-07-22 02:07 . 2008-07-23 10:47 2,386 ---hs---- C:\WINDOWS\system32\fqhsqeud.ini
2008-07-21 21:56 . 2008-07-21 21:56 <DIR> d--hs---- C:\FOUND.060
2008-07-21 02:08 . 2008-07-22 02:04 2,086 ---hs---- C:\WINDOWS\system32\qskxtxhv.ini
2008-07-20 02:07 . 2008-07-20 21:19 1,674 ---hs---- C:\WINDOWS\system32\wpkvqmao.ini
2008-07-19 16:00 . 2008-07-19 15:55 1,014 --ahs---- C:\WINDOWS\system32\wcthkjjs.ini
2008-07-19 15:41 . 2008-07-19 15:42 1,014 ---hs---- C:\WINDOWS\system32\wcthkjjs.tmp
2008-07-18 17:07 . 2008-07-18 17:07 1,439,094 ---hs---- C:\WINDOWS\system32\kwuwusev.tmp
2008-07-18 11:11 . 2008-07-18 11:11 <DIR> d--hs---- C:\FOUND.059
2008-07-18 10:36 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-10 03:51 . 2008-07-10 03:51 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-10 03:29 . 2008-07-10 03:29 <DIR> d--hs---- C:\FOUND.058
2008-07-08 18:51 . 2008-07-08 18:51 <DIR> d--hs---- C:\FOUND.057
2008-07-07 21:31 . 2008-07-07 21:31 <DIR> d--hs---- C:\FOUND.056
2008-07-07 16:24 . 2008-07-07 16:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-07 10:44 . 2008-07-07 10:44 <DIR> d--hs---- C:\FOUND.055
2008-07-06 00:33 . 2008-07-06 00:33 <DIR> d-------- C:\Program Files\CamStudio
2008-07-05 12:46 . 2008-07-05 12:46 <DIR> d--hs---- C:\FOUND.054
2008-07-02 01:36 . 2008-07-02 01:36 <DIR> d--hs---- C:\FOUND.053
2008-06-27 17:37 . 2008-06-27 17:37 111,168 --a------ C:\WINDOWS\system32\wmzkoh.dll
2008-06-27 17:37 . 2008-06-27 17:37 111,168 --a------ C:\WINDOWS\system32\aevrvfph.dll
2008-06-25 17:38 . 2008-06-25 17:38 111,680 --a------ C:\WINDOWS\system32\ferwpvhx.dll
2008-06-22 15:23 . 2008-07-30 10:42 110,350 --a------ C:\WINDOWS\BM1e3c22e6.xml
2008-06-22 15:22 . 2008-06-22 15:22 <DIR> d--hs---- C:\FOUND.052
2008-06-19 04:44 . 2008-06-19 04:44 <DIR> d--hs---- C:\FOUND.051
2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-06-11 11:07 . 2008-06-11 11:07 <DIR> d-------- C:\Documents and Settings\DAVID\Application Data\Symantec
2008-06-11 11:04 . 2008-06-11 11:04 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-11 11:02 . 2008-06-11 11:02 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-11 11:00 . 2008-06-12 13:10 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-11 11:00 . 2008-06-12 13:10 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-11 11:00 . 2008-06-12 13:10 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-11 11:00 . 2008-06-12 13:10 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-10 13:10 . 2008-06-10 13:10 <DIR> d--hs---- C:\FOUND.050
2008-06-09 19:58 . 2008-06-09 19:58 <DIR> d--hs---- C:\FOUND.049
2008-06-08 23:05 . 2008-06-08 23:05 <DIR> d--hs---- C:\FOUND.048
2008-06-06 20:21 . 2008-06-06 20:21 <DIR> d--hs---- C:\FOUND.047
2008-06-04 15:17 . 2008-06-04 15:17 <DIR> d--hs---- C:\FOUND.046
2008-06-03 22:46 . 2008-06-03 22:46 <DIR> d--hs---- C:\FOUND.045

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 02:08 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-03 12:05 94,511 --sh--w C:\WINDOWS\system32\ppeauegi.tmp
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-17 10:47 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 01:02 68856]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 05:58 7581696]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"IRReceive"="C:\WINDOWS\system32\IRReceive.exe" [2007-06-01 17:01 675913]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe [2008-07-23 21:29:59 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2006-01-23 12:41]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2006-01-23 12:41]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 10:40]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 U6000ALL;U6000 TV Box(ALL);C:\WINDOWS\system32\DRIVERS\U6000ALL.sys [2007-03-15 18:51]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-07-30 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - s!2C:\Program Files\Windows Live Toolbar\MSNTBUP.EXESYSTEM0< []
2008-07-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - :C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0 []
2008-07-14 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - DAVID.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 02:19]
2008-07-01 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - JAMES.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 02:19]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6C0A4F2F-6A2B-41BD-B92F-CE33A8E03C1E} - C:\Documents and Settings\DAVID\Local Settings\Temporary Internet Files\Content.IE5\6JK7A583\3077ahntdksr[1].dll
BHO-{8B9743C1-9AB4-41A4-8AC7-B23AA84E58C0} - C:\WINDOWS\system32\ddcApNDU.dll
BHO-{D758C006-6F2B-4FBB-834D-609BD6FC7078} - C:\WINDOWS\system32\ddabc.dll
HKLM-Run-1d0f117a - C:\WINDOWS\system32\gmrgocyw.dll
HKLM-Run-Easy SpyRemover - C:\Program Files\Easy SpyRemover\EasySpyRemover.exe
HKLM-Run-BM1e3c22e6 - C:\WINDOWS\system32\tpbxafxt.dll
Notify-ssqrq - C:\WINDOWS\system32\ssqrq.dll
Notify-cbxxxxy - cbxxxxy.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://en.uk.acer.yahoo.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://en.uk.acer.yahoo.com
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: Open in new background tab - C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?4082c65fcdde43018626f68d2c7630c1
O8 -: Open in new foreground tab - C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?4082c65fcdde43018626f68d2c7630c1


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 11:29:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-30 11:31:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-30 10:31:04

Pre-Run: 40,685,731,840 bytes free
Post-Run: 40,529,854,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

840 --- E O F --- 2008-07-23 09:49:11

Hijackthis log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:28, on 30/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\IRReceive.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [IRReceive] C:\WINDOWS\system32\IRReceive.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?4082c65fcdde43018626f68d2c7630c1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?4082c65fcdde43018626f68d2c7630c1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b57176.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8983 bytes

On switching the laptop on this morning before loading combofix, I got a blue screen saying that there was a file inconsistency. This has happened frequently recently. Is this caused by the virus?

Got there at last, I hope. Thank you for your patience.
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am

Re: Is the Vundo virus still on laptop?

Unread postby random/random » July 30th, 2008, 1:51 pm

Still a few bits to clear up

On switching the laptop on this morning before loading combofix, I got a blue screen saying that there was a file inconsistency. This has happened frequently recently. Is this caused by the virus?


It isn't a symptom that I've come across before, but it is possible. Is it still happening?

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    DirLook::
    C:\Program Files\Mydrv
    File::
    C:\WINDOWS\system32\fqhsqeud.ini
    C:\WINDOWS\system32\qskxtxhv.ini
    C:\WINDOWS\system32\wpkvqmao.ini
    C:\WINDOWS\system32\wcthkjjs.ini
    C:\WINDOWS\system32\wcthkjjs.tmp
    C:\WINDOWS\system32\kwuwusev.tmp
    C:\WINDOWS\system32\wmzkoh.dll
    C:\WINDOWS\system32\aevrvfph.dll
    C:\WINDOWS\system32\ferwpvhx.dll
    C:\WINDOWS\BM1e3c22e6.xml
    C:\WINDOWS\system32\ppeauegi.tmp
    
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Is the Vundo virus still on laptop?

Unread postby Miker » July 31st, 2008, 8:39 am

Old versions of Java deleted and latest installed.

Log of ComboFix below:

ComboFix 08-07-26.1 - DAVID 2008-07-31 12:32:23.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.566 [GMT 1:00]
Running from: C:\Documents and Settings\DAVID\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DAVID\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM1e3c22e6.xml
C:\WINDOWS\system32\aevrvfph.dll
C:\WINDOWS\system32\ferwpvhx.dll
C:\WINDOWS\system32\fqhsqeud.ini
C:\WINDOWS\system32\kwuwusev.tmp
C:\WINDOWS\system32\ppeauegi.tmp
C:\WINDOWS\system32\qskxtxhv.ini
C:\WINDOWS\system32\wcthkjjs.ini
C:\WINDOWS\system32\wcthkjjs.tmp
C:\WINDOWS\system32\wmzkoh.dll
C:\WINDOWS\system32\wpkvqmao.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1e3c22e6.xml
C:\WINDOWS\system32\aevrvfph.dll
C:\WINDOWS\system32\ferwpvhx.dll
C:\WINDOWS\system32\fqhsqeud.ini
C:\WINDOWS\system32\kwuwusev.tmp
C:\WINDOWS\system32\ppeauegi.tmp
C:\WINDOWS\system32\qskxtxhv.ini
C:\WINDOWS\system32\wcthkjjs.ini
C:\WINDOWS\system32\wcthkjjs.tmp
C:\WINDOWS\system32\wmzkoh.dll
C:\WINDOWS\system32\wpkvqmao.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-31 12:32 . 2008-07-31 12:32 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-07-31 12:16 . 2008-07-31 12:16 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-31 12:16 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-30 11:24 . 2008-07-31 11:32 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-07-30 10:37 . 2008-07-30 10:37 <DIR> d--hs---- C:\FOUND.064
2008-07-25 21:47 . 2008-07-25 21:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 17:46 . 2008-07-25 17:46 <DIR> d-------- C:\Program Files\Easy SpyRemover
2008-07-25 16:55 . 2006-08-18 22:50 <DIR> d-------- C:\Documents and Settings\NICOLA\iss
2008-07-25 16:55 . 2008-07-25 16:55 <DIR> d-------- C:\Documents and Settings\NICOLA\Application Data\Symantec
2008-07-25 16:55 . 2008-07-25 16:55 <DIR> d-------- C:\Documents and Settings\NICOLA\Application Data\ArcSoft
2008-07-25 16:55 . 2006-08-18 22:49 <DIR> d-------- C:\Documents and Settings\NICOLA\Application Data\Acer
2008-07-25 16:55 . 2008-07-25 16:55 <DIR> d-------- C:\Documents and Settings\NICOLA
2008-07-25 16:45 . 2008-07-25 16:45 <DIR> d-------- C:\Documents and Settings\MATTHEW\Application Data\Symantec
2008-07-25 16:44 . 2008-07-25 16:45 <DIR> d-------- C:\Documents and Settings\MATTHEW\Application Data\ArcSoft
2008-07-25 16:43 . 2006-08-18 22:50 <DIR> d-------- C:\Documents and Settings\MATTHEW\iss
2008-07-25 16:43 . 2006-08-18 22:49 <DIR> d-------- C:\Documents and Settings\MATTHEW\Application Data\Acer
2008-07-25 16:43 . 2008-07-25 16:43 <DIR> d-------- C:\Documents and Settings\MATTHEW
2008-07-25 16:18 . 2006-08-18 22:50 <DIR> d-------- C:\Documents and Settings\BETH\iss
2008-07-25 16:18 . 2008-07-25 16:18 <DIR> d-------- C:\Documents and Settings\BETH\Application Data\Symantec
2008-07-25 16:18 . 2008-07-25 16:18 <DIR> d-------- C:\Documents and Settings\BETH\Application Data\ArcSoft
2008-07-25 16:18 . 2006-08-18 22:49 <DIR> d-------- C:\Documents and Settings\BETH\Application Data\Acer
2008-07-25 16:18 . 2008-07-25 16:18 <DIR> d-------- C:\Documents and Settings\BETH
2008-07-25 15:58 . 2008-07-25 15:58 <DIR> d-------- C:\Program Files\Access Boss 3
2008-07-25 14:55 . 2006-08-18 21:40 <DIR> d-------- C:\Documents and Settings\BETH(2)\Templates(2)
2008-07-25 14:55 . 2006-08-18 21:40 <DIR> d--h----- C:\Documents and Settings\BETH(2)\Local Settings(2)
2008-07-25 14:55 . 2006-08-18 21:40 <DIR> d--h----- C:\Documents and Settings\BETH(2)\Application Data(2)
2008-07-25 14:55 . 2008-07-25 14:55 <DIR> d---s---- C:\Documents and Settings\BETH(2)
2008-07-25 13:19 . 2006-08-18 21:40 <DIR> d-------- C:\Documents and Settings\Nicola(2)\Templates(2)
2008-07-25 13:19 . 2006-08-18 21:40 <DIR> d-------- C:\Documents and Settings\Nicola(2)\Local Settings(2)
2008-07-25 13:19 . 2006-08-18 21:40 <DIR> d--h----- C:\Documents and Settings\Nicola(2)\Application Data(2)
2008-07-25 13:19 . 2008-07-25 13:19 <DIR> d---s---- C:\Documents and Settings\Nicola(2)
2008-07-25 09:30 . 2008-07-25 09:30 <DIR> d-------- C:\VundoFix Backups
2008-07-23 22:47 . 2008-07-23 22:47 <DIR> d--hs---- C:\FOUND.063
2008-07-23 21:31 . 2008-07-31 11:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-23 21:31 . 2008-07-23 21:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-23 21:30 . 2008-07-23 21:30 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-23 21:29 . 2008-07-23 21:29 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-23 12:28 . 2008-07-23 12:28 <DIR> d--hs---- C:\FOUND.062
2008-07-23 12:21 . 2008-07-23 12:21 <DIR> d-------- C:\Documents and Settings\DAVID\Application Data\ArcSoft
2008-07-23 12:21 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-07-23 12:20 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-23 12:17 . 2008-07-23 12:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-07-23 12:17 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2008-07-23 12:17 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\dllcache\mpe.sys
2008-07-23 12:16 . 2007-03-15 18:51 227,072 -ra------ C:\WINDOWS\system32\drivers\U6000ALL.sys
2008-07-23 12:16 . 2004-08-04 00:56 18,432 --a------ C:\WINDOWS\system32\dllcache\bdaplgin.ax
2008-07-23 12:16 . 2004-08-04 00:56 18,432 --a------ C:\WINDOWS\system32\BdaPlgIn.ax
2008-07-23 12:16 . 2004-08-03 23:10 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2008-07-23 12:16 . 2004-08-03 23:10 11,776 --a------ C:\WINDOWS\system32\dllcache\bdasup.sys
2008-07-23 12:15 . 2008-07-23 12:15 <DIR> d-------- C:\Program Files\Mydrv
2008-07-22 23:12 . 2008-07-22 23:12 <DIR> d--hs---- C:\FOUND.061
2008-07-21 21:56 . 2008-07-21 21:56 <DIR> d--hs---- C:\FOUND.060
2008-07-18 11:11 . 2008-07-18 11:11 <DIR> d--hs---- C:\FOUND.059
2008-07-18 10:36 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-10 03:51 . 2008-07-10 03:51 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-10 03:29 . 2008-07-10 03:29 <DIR> d--hs---- C:\FOUND.058
2008-07-08 18:51 . 2008-07-08 18:51 <DIR> d--hs---- C:\FOUND.057
2008-07-07 21:31 . 2008-07-07 21:31 <DIR> d--hs---- C:\FOUND.056
2008-07-07 16:24 . 2008-07-07 16:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-07 10:44 . 2008-07-07 10:44 <DIR> d--hs---- C:\FOUND.055
2008-07-06 00:33 . 2008-07-06 00:33 <DIR> d-------- C:\Program Files\CamStudio
2008-07-05 12:46 . 2008-07-05 12:46 <DIR> d--hs---- C:\FOUND.054
2008-07-02 01:36 . 2008-07-02 01:36 <DIR> d--hs---- C:\FOUND.053
2008-06-22 15:22 . 2008-06-22 15:22 <DIR> d--hs---- C:\FOUND.052
2008-06-19 04:44 . 2008-06-19 04:44 <DIR> d--hs---- C:\FOUND.051
2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-06-11 11:07 . 2008-06-11 11:07 <DIR> d-------- C:\Documents and Settings\DAVID\Application Data\Symantec
2008-06-11 11:04 . 2008-06-11 11:04 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-11 11:02 . 2008-06-11 11:02 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-11 11:00 . 2008-06-12 13:10 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-11 11:00 . 2008-06-12 13:10 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-11 11:00 . 2008-06-12 13:10 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-11 11:00 . 2008-06-12 13:10 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-10 13:10 . 2008-06-10 13:10 <DIR> d--hs---- C:\FOUND.050
2008-06-09 19:58 . 2008-06-09 19:58 <DIR> d--hs---- C:\FOUND.049
2008-06-08 23:05 . 2008-06-08 23:05 <DIR> d--hs---- C:\FOUND.048
2008-06-06 20:21 . 2008-06-06 20:21 <DIR> d--hs---- C:\FOUND.047
2008-06-04 15:17 . 2008-06-04 15:17 <DIR> d--hs---- C:\FOUND.046
2008-06-03 22:46 . 2008-06-03 22:46 <DIR> d--hs---- C:\FOUND.045

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 02:08 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-17 10:47 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Mydrv ----

2007-06-02 06:26 1293 -r------- C:\Program Files\Mydrv\Drv setup.xml
2007-05-27 22:27 10926 -r------- C:\Program Files\Mydrv\x64\U6000all.cat
2007-05-27 22:27 10926 -r------- C:\Program Files\Mydrv\U6000all.cat
2007-05-21 18:11 6388 -r------- C:\Program Files\Mydrv\x64\U6000ALL.inf
2007-05-21 18:10 6388 -r------- C:\Program Files\Mydrv\U6000ALL.inf
2007-03-15 18:52 272000 -r------- C:\Program Files\Mydrv\x64\U6000ALL.sys
2007-03-15 18:51 227072 -r------- C:\Program Files\Mydrv\U6000ALL.sys
2007-01-22 15:09 36864 --a------ C:\Program Files\Mydrv\RmDrv.exe
2007-01-22 15:07 36864 --a------ C:\Program Files\Mydrv\Drv setup.exe
2006-12-20 11:13 951 -r------- C:\Program Files\Mydrv\RmDrv.xml
2006-12-19 20:41 90112 --a------ C:\Program Files\Mydrv\RmDrv.dll
2002-02-07 04:41 1229312 -r------- C:\Program Files\Mydrv\msxml4.dll
2002-02-07 04:35 82432 -r------- C:\Program Files\Mydrv\msxml4r.dll


((((((((((((((((((((((((((((( snapshot@2008-07-30_11.30.41.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-22 00:23:36 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:02 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 00:23:40 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 01:02 68856]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 05:58 7581696]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"IRReceive"="C:\WINDOWS\system32\IRReceive.exe" [2007-06-01 17:01 675913]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe [2008-07-23 21:29:59 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2006-01-23 12:41]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2006-01-23 12:41]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 10:40]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 U6000ALL;U6000 TV Box(ALL);C:\WINDOWS\system32\DRIVERS\U6000ALL.sys [2007-03-15 18:51]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-07-31 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - s!2C:\Program Files\Windows Live Toolbar\MSNTBUP.EXESYSTEM0< []
2008-07-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - :C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0 []
2008-07-14 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - DAVID.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 02:19]
2008-07-01 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - JAMES.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 02:19]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 12:35:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-31 12:38:11
ComboFix-quarantined-files.txt 2008-07-31 11:38:02
ComboFix2.txt 2008-07-30 10:31:10

Pre-Run: 40,518,516,736 bytes free
Post-Run: 40,498,757,632 bytes free

236 --- E O F --- 2008-07-23 09:49:11

Hijackthis log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:57, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\IRReceive.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CF15771.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [IRReceive] C:\WINDOWS\system32\IRReceive.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?4082c65fcdde43018626f68d2c7630c1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?4082c65fcdde43018626f68d2c7630c1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b57176.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9075 bytes

The blue file inconsistency screen has not occurred since comboFix was run.

I have just logged out of DAVID and into NICOLA. Two RUNDLL messages have appeared. They say that ... gmrgocyw.dll and ...tpbxafxt cannot be found. This also occurred with BETH. User MATTHEW had the latter message. DAVID does not get them. If it will clear the problem, I can easily delete and reinstate the affected users as they are empty.
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am

Re: Is the Vundo virus still on laptop?

Unread postby random/random » July 31st, 2008, 1:00 pm

I have just logged out of DAVID and into NICOLA. Two RUNDLL messages have appeared. They say that ... gmrgocyw.dll and ...tpbxafxt cannot be found. This also occurred with BETH. User MATTHEW had the latter message. DAVID does not get them. If it will clear the problem, I can easily delete and reinstate the affected users as they are empty.


The problem should be fairly easy to fix. Just post and label HijackThis logs from each user account.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Is the Vundo virus still on laptop?

Unread postby Miker » July 31st, 2008, 1:49 pm

Log for User Beth below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20:07, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IRReceive.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [IRReceive] C:\WINDOWS\system32\IRReceive.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [1d0f117a] rundll32.exe "C:\WINDOWS\system32\gmrgocyw.dll",b
O4 - HKCU\..\Run: [BM1e3c22e6] Rundll32.exe "C:\WINDOWS\system32\tpbxafxt.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b57176.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7230 bytes

Log for user Matthew below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:42, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IRReceive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [IRReceive] C:\WINDOWS\system32\IRReceive.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [BM1e3c22e6] Rundll32.exe "C:\WINDOWS\system32\tpbxafxt.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b57176.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7258 bytes

Log for user Nicola below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:42, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IRReceive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [IRReceive] C:\WINDOWS\system32\IRReceive.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [BM1e3c22e6] Rundll32.exe "C:\WINDOWS\system32\tpbxafxt.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b57176.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7258 bytes

After logging into user Nicola after having done the last Combo Fix run in user David, the laptop switched itself off. On reloading the blue screen with file inconsistency came on and referred to serial no IDOF-11D5. Since then, the laptop has not switched itself off all afternoon while in user David.
Miker
Active Member
 
Posts: 12
Joined: July 26th, 2008, 6:30 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware