Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't get rid of WinAntiVirusPro "Objects"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can't get rid of WinAntiVirusPro "Objects"

Unread postby keyvexed » October 10th, 2007, 12:39 pm

Can't get rid of WinAntiVirusPro "Objects" (dll's and registry entries). They keep appearing even though I can boot to another HD and delete the pesky little varmits that were identified in HJT. They come right back with a different name (vtuutst.dll, jkhfd.dll, pmnnn.dll etc) and can't be deleted except when I boot from a different drive.

Ad-Aware SE keeps finding them too but can't delete them (even though it says it has). Have logs for both as well as combofix. I got rid of the trojan yesterday but the varmits keep appearing. Where is that critter?

I am in South Florida and got the darn thing on an install 9-23 of a file I downloaded, probably. At least all signs point to that date. That was about the time things went a bit haywire.

Spybot S&D keeps it at bay real time for now and TM PCillin is a backup along with the various other program scans and deletions I have been doing. If I let it fester, it seems to grow, darnit! I just can't seem to rid them varmits from the system.

I am running in Windows XP Home with an AMD 64 3200+ 4 years old with Gigabyte MOB. Thanks for your help.

Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, October 10, 2007 9:48:03 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R195 08.10.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):3 total references
WinAntiVirusPro(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


10-10-2007 9:48:03 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 1080
ThreadCreationTime : 10-10-2007 1:30:40 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1188
ThreadCreationTime : 10-10-2007 1:30:44 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1220
ThreadCreationTime : 10-10-2007 1:30:47 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1268
ThreadCreationTime : 10-10-2007 1:30:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 10-10-2007 1:30:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1480
ThreadCreationTime : 10-10-2007 1:30:48 PM
BasePriority : Normal
FileVersion : 6.14.10.4163
ProductVersion : 6.14.10.4163
ProductName : ATI External Event Utility for Windows
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2007 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1492
ThreadCreationTime : 10-10-2007 1:30:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1604
ThreadCreationTime : 10-10-2007 1:30:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1736
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1788
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 6.14.10.4163
ProductVersion : 6.14.10.4163
ProductName : ATI External Event Utility for Windows
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2007 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1828
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1940
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2028
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [dkservice.exe]
FilePath : C:\Program Files\Diskeeper Corporation\Diskeeper\
ProcessID : 456
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Below Normal
FileVersion : 11.0.709.0
ProductVersion : 11.0.709.0
ProductName : Diskeeper (TM) Disk Defragmenter
CompanyName : Diskeeper Corporation
FileDescription : Diskeeper Service
InternalName : DkService
LegalCopyright : © 1995-2007 Diskeeper Corporation
OriginalFilename : DkService

#:15 [gearsec.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 476
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
ProductName : gearsec
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
LegalCopyright : Copyright © 2001-2003 GEAR Software
OriginalFilename : gearsec.exe

#:16 [pcctlcom.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 500
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Normal
FileVersion : 15.30.0.1151
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : PcCtlCom Module
InternalName : PcCtlCom
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PcCtlCom.EXE

#:17 [pcscnsrv.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 540
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Normal
FileVersion : 15.30.0.1128
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : PcScnSrv
InternalName : PcScnSrv.exe
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PcScnSrv.exe

#:18 [hpzipm12.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 668
ThreadCreationTime : 10-10-2007 1:30:56 PM
BasePriority : Normal
FileVersion : 9, 0, 0, 0
ProductVersion : 9, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:19 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 812
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [tmntsrv.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 844
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 15.30.0.1128
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : Tmntsrv
InternalName : Tmntsrv
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : Tmntsrv.exe

#:21 [tmpfw.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 868
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 3.2.0.1027
ProductVersion : 3.2.0
ProductName : Trend Micro Network Security Components 3.2
CompanyName : Trend Micro Inc.
FileDescription : TmPfw
InternalName : TmPfw
LegalCopyright : Copyright (C) 2001-2006 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Inc.
OriginalFilename : TmPfw.exe

#:22 [tmproxy.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 972
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 3.2.0.1024
ProductVersion : 3.2.0
ProductName : Trend Micro Network Security Components 3.2
CompanyName : Trend Micro Inc.
FileDescription : TmProxy.exe
InternalName : TmProxy.exe
LegalCopyright : Copyright (C) 2001-2006 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Inc.
OriginalFilename : TmProxy.exe

#:23 [upsd.exe]
FilePath : C:\Program Files\Belkin Bulldog Plus\
ProcessID : 1000
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 1.1
ProductVersion : 3.1
ProductName : UPSentry Smart 2000
CompanyName : Delta
FileDescription : upsd
InternalName : UPSentry Service
LegalCopyright : Copyright c 1999
OriginalFilename : upsd.exe

#:24 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1060
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:25 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 3612
ThreadCreationTime : 10-10-2007 1:31:56 PM
BasePriority : Normal
FileVersion : 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
ProductVersion : 6.00.2900.3156
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:26 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3728
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:27 [type32.exe]
FilePath : C:\Program Files\Microsoft IntelliType Pro\
ProcessID : 3736
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal


#:28 [launch~1.exe]
FilePath : C:\PROGRA~1\Nokia\NOKIAP~1\
ProcessID : 3752
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal


#:29 [pccguide.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 3772
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal
FileVersion : 15.30.0.1151
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : PCCGuide
InternalName : PCCGuide
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PCCGuide

#:30 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.6.0_03\bin\
ProcessID : 3808
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal


#:31 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ProcessID : 3864
ThreadCreationTime : 10-10-2007 1:31:59 PM
BasePriority : Normal
FileVersion : 9.79.025
ProductVersion : 9.79.025
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : (C) 1987-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:32 [psfree.exe]
FilePath : C:\PROGRA~1\PANICW~1\POP-UP~2\
ProcessID : 3892
ThreadCreationTime : 10-10-2007 1:31:59 PM
BasePriority : Normal
FileVersion : 3, 1, 0, 1014
ProductVersion : 1, 0, 0, 1
ProductName : Pop-Up Stopper Free Edition
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
LegalCopyright : Copyright (C) 2002-2005
OriginalFilename : PSFree.exe

#:33 [pcsync2.exe]
FilePath : C:\Program Files\Nokia\Nokia PC Suite 6\
ProcessID : 3952
ThreadCreationTime : 10-10-2007 1:32:00 PM
BasePriority : Normal
FileVersion : 2.00 (486)
ProductVersion : 2.00
ProductName : PC Sync
CompanyName : Time Information Services Ltd.
FileDescription : PC Sync
InternalName : PcSync2
LegalCopyright : Copyright © Time I.S. Ltd. 2002 - 2006
OriginalFilename : PcSync2.EXE

#:34 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 4048
ThreadCreationTime : 10-10-2007 1:32:04 PM
BasePriority : Normal
FileVersion : 8.1.0178.00
ProductVersion : 8.1.0178
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

#:35 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 4056
ThreadCreationTime : 10-10-2007 1:32:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:36 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 4068
ThreadCreationTime : 10-10-2007 1:32:06 PM
BasePriority : Idle
FileVersion : 1, 5, 0, 9
ProductVersion : 1, 5, 0, 0
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2007 Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

#:37 [mups.exe]
FilePath : C:\Program Files\Belkin Bulldog Plus\
ProcessID : 792
ThreadCreationTime : 10-10-2007 1:32:09 PM
BasePriority : Normal


#:38 [mpapi3s.exe]
FilePath : C:\PROGRA~1\COMMON~1\Nokia\MPAPI\
ProcessID : 928
ThreadCreationTime : 10-10-2007 1:32:10 PM
BasePriority : Normal
FileVersion : 6.80.161.0
ProductVersion : 6.0
ProductName : Nokia Connectivity Library
CompanyName : Nokia Corporation
FileDescription : Mobile Phone API
InternalName : MPAPI
LegalCopyright : Copyright © 1999-2004 Nokia. All Rights Reserved
OriginalFilename : MPAPI.EXE

#:39 [snagit32.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 8\
ProcessID : 164
ThreadCreationTime : 10-10-2007 1:32:12 PM
BasePriority : Normal


#:40 [memturbo.exe]
FilePath : C:\Program Files\Silicon Prairie Software\MemTurbo\
ProcessID : 224
ThreadCreationTime : 10-10-2007 1:32:12 PM
BasePriority : Normal

ProductName : MemTurbo Application
CompanyName : SharewareOnline.com, Inc.
FileDescription : MemTurbo
InternalName : MemTurbo
LegalCopyright : Copyright (C) 1998-2000
LegalTrademarks : MemTurbo, RAMScrub
OriginalFilename : MemTurbo.EXE
Comments : http://www.memturbo.com

#:41 [tschelp.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 8\
ProcessID : 1684
ThreadCreationTime : 10-10-2007 1:32:14 PM
BasePriority : Normal
FileVersion : 8.2.3.14
ProductVersion : 8.2.3.14
CompanyName : TechSmith Corporation
FileDescription : TechSmith HTML Help Helper
InternalName : TechSmith HTML Help Helper
LegalCopyright : Copyright (c) 2002-2007 TechSmith Corporation. All rights reserved.
OriginalFilename : TscHelp.exe

#:42 [snagpriv.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 8\
ProcessID : 1400
ThreadCreationTime : 10-10-2007 1:32:14 PM
BasePriority : Normal
FileVersion : 8.2.3.14
ProductVersion : 8.2.3.14
ProductName : SnagPriv
CompanyName : TechSmith Corporation
FileDescription : SnagIt RPC Helper
InternalName : SnagPriv
LegalCopyright : Copyright © 1996-2007 TechSmith Corp. All rights reserved.
OriginalFilename : SnagPriv.exe
Comments : 8.2.3 release

#:43 [servicelayer.exe]
FilePath : C:\Program Files\Common Files\PCSuite\Services\
ProcessID : 2652
ThreadCreationTime : 10-10-2007 1:32:26 PM
BasePriority : Normal
FileVersion : 6, 80, 56, 4
ProductVersion : 6.0
ProductName : PC Connectivity Solution
CompanyName : Nokia.
FileDescription : ServiceLayer Module
InternalName : ServiceLayer
LegalCopyright : Copyright © 2002-2006 Nokia. All Rights Reserved.
OriginalFilename : ServiceLayer.exe

#:44 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1640
ThreadCreationTime : 10-10-2007 1:32:27 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:45 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3212
ThreadCreationTime : 10-10-2007 1:32:28 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:46 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3064
ThreadCreationTime : 10-10-2007 1:32:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:47 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1332
ThreadCreationTime : 10-10-2007 1:34:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:48 [hijackthis_v2.exe]
FilePath : C:\Documents and Settings\Paul\Desktop\Utilities\
ProcessID : 1560
ThreadCreationTime : 10-10-2007 1:34:46 PM
BasePriority : Normal
FileVersion : 2.00
ProductVersion : 2.00
ProductName : HijackThis
CompanyName : Trend Micro Inc.
FileDescription : HijackThis
InternalName : HijackThis
LegalCopyright : (c) 2007 Trend Micro Inc
OriginalFilename : HijackThis.exe

#:49 [opera.exe]
FilePath : C:\Program Files\Opera75\
ProcessID : 2680
ThreadCreationTime : 10-10-2007 1:36:33 PM
BasePriority : Normal
FileVersion : 8808
ProductVersion : 9.23
ProductName : Opera Internet Browser
CompanyName : Opera Software
FileDescription : Opera Internet Browser
InternalName : Opera
LegalCopyright : Copyright © Opera Software 1995-2007
OriginalFilename : Opera.exe

#:50 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2812
ThreadCreationTime : 10-10-2007 1:47:44 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinAntiVirusPro Object Recognized!
Type : File
Data : A0000004.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{A13EE8D9-B42B-4BDE-9C01-36611043B31B}\RP1\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
6651 entries scanned.
New critical objects:0
Objects found so far: 4




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinAntiVirusPro Object Recognized!
Type : File
Data : sporder.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 5.00.2095.1
ProductVersion : 5.00.2095.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : WinSock2 reorder service providers
InternalName : sporder.dll
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : sporder.dll


Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 5

10:16:31 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:28:28.250
Objects scanned:340230
Objects identified:2
Objects ignored:0
New critical objects:2

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:04:38 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera75\Opera.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Paul\Desktop\Utilities\HJT\HJT.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9FAC296D-F17B-48BE-9857-0701BBCE4E23} - C:\WINDOWS\system32\jkklm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C :\PROGRA~1\MICROS~2\Office\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Inst ... S_live.cab
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx ... ,0,0831,02
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/ins ... _v01_6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8617141609
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag3503.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral ... 10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O20 - Winlogon Notify: vtuutst - C:\WINDOWS\SYSTEM32\vtuutst.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ibluomrb.exe (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

--
End of file - 10002 bytes

ComboFix 07-10-09.3 - Paul 2007-10-10 11:24:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.374 [GMT -4:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\system32\avrqjdbg.dll
C:\WINDOWS\system32\cfhnxfcb.dll
C:\WINDOWS\system32\cvfyqmxb.dll
C:\WINDOWS\system32\dbpqyddo.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\gbdjqrva.ini
C:\WINDOWS\system32\gcmgperd.dll
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\klqruoej.dll
C:\WINDOWS\system32\kuoffmjg.dll
C:\WINDOWS\system32\ljupporm.dll
C:\WINDOWS\system32\lmjuschy.dll
C:\WINDOWS\system32\lqifeemh.dll
C:\WINDOWS\system32\lqtcuynx.exe
C:\WINDOWS\system32\mabqlfbc.dll
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mroppujl.ini
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nnnmp.tmp
C:\WINDOWS\system32\nnnmp.tmp
C:\WINDOWS\system32\nqltgvlg.dll
C:\WINDOWS\system32\ouvbyddi.dll
C:\WINDOWS\system32\pdvwptab.dll
C:\WINDOWS\system32\pohechsy.dll
C:\WINDOWS\system32\ppvmvynk.dll
C:\WINDOWS\system32\rhbitdvh.dll
C:\WINDOWS\system32\sjujfjlv.dll
C:\WINDOWS\system32\vtbusixy.dll
C:\WINDOWS\system32\whixewsb.dll
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\xhwlrrfy.dll
C:\WINDOWS\system32\xssnhkul.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-10 11:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 20:14 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-10-09 20:14 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-10-09 20:14 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-10-09 20:14 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-10-09 20:14 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-10-09 20:14 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-10-09 20:14 106,496 --------- C:\WINDOWS\system32\TwnLib20.dll
2007-10-09 20:12 2,682,880 --------- C:\WINDOWS\UNNeroVision.exe
2007-10-09 20:05 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-09 20:04 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-09 18:12 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-10-09 18:12 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-10-09 18:12 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-10-09 18:12 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-10-09 18:12 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-10-09 18:12 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-10-09 11:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Opera
2007-10-09 10:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-10-08 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 15:06 <DIR> d-------- C:\Documents and Settings\Joyce\Application Data\Share-to-Web Upload Folder
2007-10-07 16:22 717 --a------ C:\WINDOWS\EReg206.dat
2007-10-07 16:12 <DIR> d-------- C:\WINDOWS\EReg206
2007-10-06 18:30 <DIR> d-------- C:\tmp
2007-09-29 16:00 65,536 --a------ C:\WINDOWS\system32\a3d.dll
2007-09-27 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avanquest Software
2007-09-24 18:35 <DIR> d-------- C:\Program Files\Temporary
2007-09-23 19:20 33,792 --a------ C:\WINDOWS\system32\ssqnkkl.dll
2007-09-23 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-09-23 18:02 33,792 --a------ C:\WINDOWS\system32\ddcyawu.dll
2007-09-23 18:01 33,792 --a------ C:\WINDOWS\system32\vtuutst.dll
2007-09-14 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-09-13 15:28 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Printer Info Cache
2007-09-13 15:26 <DIR> d-------- C:\Program Files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 00:15 --------- d-----w C:\Program Files\Ahead
2007-10-10 00:04 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-09 22:12 --------- d-----w C:\Program Files\Trend Micro
2007-10-09 21:00 --------- d-----w C:\Program Files\Quicken
2007-10-09 21:00 --------- d-----w C:\Program Files\ItsDeductible2005
2007-10-09 20:58 --------- d-----w C:\Program Files\TurboTax
2007-10-09 19:58 --------- d-----w C:\Program Files\Opera75
2007-10-09 16:08 --------- d-----w C:\Program Files\Ulead Systems
2007-10-09 16:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-08 22:11 --------- d-----w C:\Program Files\Creative
2007-10-07 20:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-27 20:46 2,754 ----a-w C:\Documents and Settings\Paul\Application Data\SAS7_000.DAT
2007-09-26 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-26 17:52 --------- d-----w C:\Documents and Settings\Paul\Application Data\RipIt4Me
2007-09-26 12:40 --------- d-----w C:\Documents and Settings\Paul\Application Data\uTorrent
2007-09-25 02:22 --------- d-----w C:\Documents and Settings\Paul\Application Data\dvdcss
2007-09-25 02:12 --------- d-----w C:\Documents and Settings\Paul\Application Data\Ahead
2007-09-24 13:03 --------- d-----w C:\Program Files\Belkin Bulldog Plus
2007-09-23 22:09 --------- d-----w C:\Documents and Settings\Paul\Application Data\Nero
2007-09-14 13:48 --------- d-----w C:\Documents and Settings\Paul\Application Data\Image Zone Express
2007-09-13 19:26 --------- d-----w C:\Program Files\HP
2007-09-09 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-07 19:19 --------- d-----w C:\Program Files\PowerISO
2007-09-07 18:22 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-07 18:22 --------- d-----w C:\Program Files\Microsoft Works
2007-09-06 21:04 --------- d-----w C:\Program Files\QuickZip4
2007-08-19 17:39 --------- d-----w C:\Documents and Settings\Paul\Application Data\Nuance
2007-08-19 17:36 --------- d-----w C:\Program Files\Common Files\Scansoft Shared
2007-08-19 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-08-19 17:35 --------- d-----w C:\Program Files\Nuance
2007-08-19 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nuance
2007-08-17 23:02 --------- d-----w C:\Program Files\Codemasters
2007-08-16 14:12 --------- d-----w C:\Program Files\Copy-Discovery 2000
2007-08-13 23:15 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-12 19:48 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-08-12 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2007-08-12 19:37 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-12 19:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-08-11 23:48 --------- d-----w C:\Program Files\MagicDisc
2007-08-11 23:30 --------- d-----w C:\Program Files\Ricochet Lost Worlds Recharged
2007-08-11 18:40 --------- d-----w C:\Program Files\microsoft frontpage
2007-08-11 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-10 17:15 --------- d-----w C:\Program Files\MagicISO
2007-04-28 19:25 81,920 ----a-w C:\Documents and Settings\Paul\Application Data\ezpinst.exe
2007-04-28 19:25 47,360 ----a-w C:\Documents and Settings\Paul\Application Data\pcouffin.sys
2003-03-31 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudCtrl"="AudCtrl.dll" [2002-03-21 19:53 C:\WINDOWS\system32\AudCtrl.dll]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe" [2007-01-23 02:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" [2005-03-17 12:10]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 17:52]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\Paul\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe [2004-02-14 12:52:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2003-12-31 19:24:27]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutst]
vtuutst.dll 2007-09-23 18:01 33792 C:\WINDOWS\system32\vtuutst.dll

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys
R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys
R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R3 sbext;Sound Blaster Extigy Audio Driver;C:\WINDOWS\system32\DRIVERS\sbext.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\markfun.w32
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys
S3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2004-11-14 02:28:01 C:\WINDOWS\Tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1080782758.job"
- C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-10-10 11:35:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-10 11:34
.
--- E O F ---




Thanks for goodness there are some good people out there to help. Thank you very much. I will not be using anymore untrusted files anytime soon. Virus scan doesn't seem to pick up on all of the critters in them.

Thank God I got the machine is stable with all the help from reading other peoples posts. Thanks again!!!!

Vexed in the Keys
keyvexed
Active Member
 
Posts: 3
Joined: October 10th, 2007, 12:20 pm
Advertisement
Register to Remove

Unread postby beynac » October 11th, 2007, 11:40 am

Welcome to Malware Removal. :)

I'm looking through your logs and will post again shortly.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » October 11th, 2007, 12:53 pm

Good afternoon.

I'll be happy to help you sort out your problem. In order to help me with this, please note the following points:
  • If you have any questions or problems - stop and ask
  • It's important that you do not take any independent action to clean the computer (e.g. scans and clean-up programs)
  • Please continue until I give the "all clear". The symptoms may disappear quite quickly, but this doesn't mean that the computer is clean
----------------------------------------------

Spybot's TeaTimer

We must disable TeaTimer as it will interfere with our fix. This is a two step process.
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have Version 1.5
    • Click once on Resident Protection
    • Right-click the Spybot icon again and make sure Resident Protection is now Unchecked
    • The Spybot icon in the System tray should now be colorless.
  • If you have Version 1.4
    • Click on Exit Spybot S&D Resident
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • Then click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect
--------------------------------------

ComboFix by sUBs

Please delete your copy of ComboFix and download the current version fom here here. Please make sure that you save it on your desktop. It's essential that we make sure that we are using the latest version.

Open Notepad and copy/paste the text in the quotebox below into it:
File::
C:\tmp
C:\WINDOWS\system32\ssqnkkl.dll
C:\WINDOWS\system32\ddcyawu.dll
C:\WINDOWS\system32\vtuutst.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutst]


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall

------------------------------------------

HijackThis

You are using the old, beta version of HijackThis. Please delete your copy and then download the latest version:

Please download HJTInstall.exe and save it to your desktop
  • Double click on the HJTInstall.exe icon on your desktop
  • Click I Accept
  • HijackThis will open
  • Click on the Do a system scan and save a log file button.
  • It will scan and then the log will open in notepad.
  • Paste the log as a reply to this thread.
  • Don't use the Analyse This button - its findings are dangerous if misinterpreted.
Do NOT have HijackThis fix anything yet.

-----------------------------------------

Please post, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log (run with the new version)
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

10-11 run following the above

Unread postby keyvexed » October 11th, 2007, 8:38 pm

Spybot was not in the tray even though teatimer was running. I ran spybot and unchecked the "resident" box as you mentioned but that was all I saw to do. I also ended teatimer in the task manager and closed spybot. Did not reboot as teatimer was then gone. I tried my best but if I need to redo this part. Let me know and I will.

I modified Combofix as you suggested and ran it. Upon the re-bootup many resident programs loaded, including teatimer. I stopped it in task manager. Report was generated for Combofix.

I ran HJT with the new version as directed. Log is below.

With all of the scans and "fixes" I have run over the last few days, the popups seem to have gone away. Gone too appear to be the dlls that I couldn't delete. There might be some straggler files still in there but hopefully we will get them too with your help.

Thank you

--------------------------------------------------------------------------------

ComboFix 07-10-12.3 - Paul 2007-10-11 20:05:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.565 [GMT -4:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Paul\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\tmp
C:\WINDOWS\system32\ddcyawu.dll
C:\WINDOWS\system32\ssqnkkl.dll
C:\WINDOWS\system32\vtuutst.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddcyawu.dll
C:\WINDOWS\system32\ssqnkkl.dll
C:\WINDOWS\system32\vtuutst.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.

2007-10-10 18:35 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-10-10 18:04 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-10-10 11:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 20:14 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-10-09 20:14 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-10-09 20:14 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-10-09 20:14 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-10-09 20:14 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-10-09 20:14 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-10-09 20:14 106,496 --------- C:\WINDOWS\system32\TwnLib20.dll
2007-10-09 20:12 2,682,880 --------- C:\WINDOWS\UNNeroVision.exe
2007-10-09 20:05 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-09 20:04 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-09 18:12 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-10-09 18:12 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-10-09 18:12 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-10-09 18:12 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-10-09 18:12 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-10-09 18:12 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-10-09 10:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-10-08 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 15:06 <DIR> d-------- C:\Documents and Settings\Joyce\Application Data\Share-to-Web Upload Folder
2007-10-07 16:22 717 --a------ C:\WINDOWS\EReg206.dat
2007-10-07 16:12 <DIR> d-------- C:\WINDOWS\EReg206
2007-10-06 18:30 <DIR> d-------- C:\tmp
2007-09-29 16:00 65,536 --a------ C:\WINDOWS\system32\a3d.dll
2007-09-24 18:35 <DIR> d-------- C:\Program Files\Temporary
2007-09-23 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-09-14 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-09-13 15:28 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Printer Info Cache
2007-09-13 15:26 <DIR> d-------- C:\Program Files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 00:01 --------- d-----w C:\Documents and Settings\Paul\Application Data\uTorrent
2007-10-11 23:49 --------- d-----w C:\Program Files\Trend Micro
2007-10-11 17:34 --------- d-----w C:\Program Files\Quicken
2007-10-10 22:37 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-10 22:37 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2007-10-10 22:35 19,424 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2007-10-10 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-10 17:12 --------- d-----w C:\Documents and Settings\Paul\Application Data\RipIt4Me
2007-10-10 00:15 --------- d-----w C:\Program Files\Ahead
2007-10-10 00:04 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-09 21:00 --------- d-----w C:\Program Files\ItsDeductible2005
2007-10-09 20:58 --------- d-----w C:\Program Files\TurboTax
2007-10-09 19:58 --------- d-----w C:\Program Files\Opera75
2007-10-09 16:08 --------- d-----w C:\Program Files\Ulead Systems
2007-10-09 16:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-08 22:11 --------- d-----w C:\Program Files\Creative
2007-10-07 21:06 --------- d-----w C:\Program Files\Java
2007-10-07 20:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-27 20:46 2,754 ----a-w C:\Documents and Settings\Paul\Application Data\SAS7_000.DAT
2007-09-25 02:22 --------- d-----w C:\Documents and Settings\Paul\Application Data\dvdcss
2007-09-25 02:12 --------- d-----w C:\Documents and Settings\Paul\Application Data\Ahead
2007-09-24 13:03 --------- d-----w C:\Program Files\Belkin Bulldog Plus
2007-09-23 22:09 --------- d-----w C:\Documents and Settings\Paul\Application Data\Nero
2007-09-14 13:48 --------- d-----w C:\Documents and Settings\Paul\Application Data\Image Zone Express
2007-09-13 19:26 --------- d-----w C:\Program Files\HP
2007-09-09 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-07 19:19 --------- d-----w C:\Program Files\PowerISO
2007-09-07 18:22 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-07 18:22 --------- d-----w C:\Program Files\Microsoft Works
2007-09-06 21:04 --------- d-----w C:\Program Files\QuickZip4
2007-08-19 17:39 --------- d-----w C:\Documents and Settings\Paul\Application Data\Nuance
2007-08-19 17:36 --------- d-----w C:\Program Files\Common Files\Scansoft Shared
2007-08-19 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-08-19 17:35 --------- d-----w C:\Program Files\Nuance
2007-08-19 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nuance
2007-08-17 23:02 --------- d-----w C:\Program Files\Codemasters
2007-08-16 14:12 --------- d-----w C:\Program Files\Copy-Discovery 2000
2007-08-13 23:15 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-12 19:48 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-08-12 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2007-08-12 19:37 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-12 19:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-04-28 19:25 81,920 ----a-w C:\Documents and Settings\Paul\Application Data\ezpinst.exe
2007-04-28 19:25 47,360 ----a-w C:\Documents and Settings\Paul\Application Data\pcouffin.sys
2003-03-31 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-10_11.34.46.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 11:22:52 51,680 -c----w C:\WINDOWS\$NtUninstallWdf01005$\spuninst\Kmdfcustom.dll
+ 2006-10-09 01:51:14 221,488 -c----w C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe
+ 2006-10-09 01:51:14 379,184 -c----w C:\WINDOWS\$NtUninstallWdf01005$\spuninst\updspapi.dll
+ 2007-10-10 22:04:13 25,214 ----a-r C:\WINDOWS\Installer\{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}\ARPPRODUCTICON.exe
+ 2007-10-10 22:04:13 25,214 ----a-r C:\WINDOWS\Installer\{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}\DS_CPL.exe
+ 2007-10-10 22:04:13 25,214 ----a-r C:\WINDOWS\Installer\{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}\ITP_HCG.exe
+ 2007-10-10 22:04:13 4,846 ----a-r C:\WINDOWS\Installer\{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}\ITP_KeyboardUG.exe
+ 2007-10-10 22:04:13 29,926 ----a-r C:\WINDOWS\Installer\{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}\NewShortcut1_5D5B9E6A344C497695ABABBDC648E5DA.exe
+ 2007-10-10 22:04:13 29,926 ----a-r C:\WINDOWS\Installer\{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}\NewShortcut2_5D5B9E6A344C497695ABABBDC648E5DA.exe
+ 2007-10-10 22:04:13 25,214 ----a-r C:\WINDOWS\Installer\{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}\PGM_CPL.exe
+ 2006-11-02 11:22:54 492,000 ------w C:\WINDOWS\system32\drivers\wdf01000.sys
+ 2006-11-02 11:22:52 32,224 ------w C:\WINDOWS\system32\drivers\wdfldr.sys
+ 2007-10-10 22:35:10 19,424 -c--a-w C:\WINDOWS\system32\DRVSTORE\ggsemc_F2D8FB989AD97EE3E644AD6BAA9E56E37DE856D3\x86\ggsemc.sys
+ 2007-10-10 22:35:10 1,419,232 -c--a-w C:\WINDOWS\system32\DRVSTORE\ggsemc_F2D8FB989AD97EE3E644AD6BAA9E56E37DE856D3\x86\wdfcoinstaller01005.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-10-11 12:59:07 45,218 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2006-11-17 20:14:30 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2006-10-09 01:51:14 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-10-16 20:10:58 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-10-09 01:51:14 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-10-12 00:17:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudCtrl"="AudCtrl.dll" [2002-03-21 19:53 C:\WINDOWS\system32\AudCtrl.dll]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe" [2007-01-23 02:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" [2005-03-17 12:10]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 17:52]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\Paul\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe [2004-02-14 12:52:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2003-12-31 19:24:27]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutst]

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys
R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys
R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys
R3 sbext;Sound Blaster Extigy Audio Driver;C:\WINDOWS\system32\DRIVERS\sbext.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\markfun.w32
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys
S3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2004-11-14 02:28:01 C:\WINDOWS\Tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1080782758.job"
- C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-10-11 20:20:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-10 11:34
C:\ComboFix2.txt ... 2007-10-10 11:35
.
--- E O F ---

---------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:32 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Inst ... S_live.cab
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx ... ,0,0831,02
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/ins ... _v01_6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8617141609
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag3503.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral ... 10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

--
End of file - 8718 bytes
keyvexed
Active Member
 
Posts: 3
Joined: October 10th, 2007, 12:20 pm

Unread postby beynac » October 12th, 2007, 11:36 am

Good afternoon.

The good news is that the HijackThis log is clean. However, I'm a bit worried that the registry entry we deleted still appears in the ComboFix log but not in the HijackThis log (which was run later). The infection responsible for this entry is Vundo. Vundo often hides things from programs like HijackThis. Renaming HijackThis fools the program into showing us the full picture. So, we'll rename HijackThis and then run another tool which targets Vundo. Finally, we'll run another CFScript to have another go at that registry entry (if it's still there). Vundo will return if any traces remain on your system so we need to hit it hard!

I've had problems with TeaTimer before. It seems very reluctant let us fix the computer! I would like to prevent it from starting up. Please go through the steps in my earlier post and then make sure that it's not running. If it is, then shut it down as before. We'll remove the startup entry in HijackThis which should, hopefully, prevent it from starting up at reboot. Please leave it disabled until we have finished. If you have problems, I suggest that you uninstall Spybot S&D and re-install it when we have finished.

-------------------------------------------------

Once TeaTimer has been shut down, run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -


Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

Close HijackThis.

Click on Start then My Computer and navigate to the folder C:\Program Files\Trend Micro\HijackThis\ and rename HijackThis.exe as NoHiding.exe.

Reboot the computer.

------------------------------------------------

VundoFix

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will create a report named vundofix.txt on your main drive (C:\vundofix.txt)
Note: It is possible that VundoFix may encounter a file it cannot remove.
In this case, VundoFix will run on reboot. Simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

------------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\tmp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutst]


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall

Please post, as a reply to this thread:
  • The VundoFix report (C:\vundofix.txt)
  • The ComboFix log
  • A new HijackThis log (run as HoHiding)
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » October 14th, 2007, 6:39 am

Good morning.

Are you having problems with the fix? If so, please let me know.

-----------------------------------------------

I note that you also posted to the Lavasoft Support forum for help. Please let them know that you are receiving help here. Posting to more than one forum will cause problems and ties up more than one helper. Please see this link for more details.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Elrond » October 22nd, 2007, 2:26 pm

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher
Admin/Teacher
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: mal-an and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware