Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need Help with removing Vundo?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need Help with removing Vundo?

Unread postby busch » January 21st, 2008, 1:15 pm

I think I have the Vundo Malware. I have a file that the virus program cannot remove. It is jkkhhhe.dll
Here is the Hijack this log. Can you help me?
Thanks!
Mike


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\VIEWPOINT\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {434BF110-6BD0-4126-F8BC-14A392F6A892} - C:\WINDOWS\System32\dqn.dll
O2 - BHO: (no name) - {536518E2-F6D4-45A6-AF8B-9F7FF06BB22E} - C:\WINDOWS\System32\urqpq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\System32\jkkhhhe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\PROGRAM FILES\HELLO\PICASACAPTURE.DLL
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\PROGRAM FILES\HELLO\PICASACAPTURE.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra button: @Home - {70CAD800-1548-11D8-B7B7-00D0B719E641} - http://home.excite.com (file missing) (HKCU)
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/c ... 21t0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/c ... dct2_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/c ... /ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potc_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://sunam1.sslcert11.com/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9504987953
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/install ... nstall.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLo ... ckLoan.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\PROGRAM FILES\VIEWPOINT\Common\ViewpointService.exe

--
End of file - 6291 bytes
busch
Active Member
 
Posts: 4
Joined: January 21st, 2008, 11:37 am
Advertisement
Register to Remove

Re: Need Help with removing Vundo?

Unread postby DFW » January 22nd, 2008, 7:44 am

Hello and wecome, My name is DFW and I will be assisting you with your malware issues .

Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Need Help with removing Vundo?

Unread postby busch » January 22nd, 2008, 10:14 am

DFW,
Thanks! I will be waiting on your help.
Mike
busch
Active Member
 
Posts: 4
Joined: January 21st, 2008, 11:37 am

Re: Need Help with removing Vundo?

Unread postby DFW » January 22nd, 2008, 1:15 pm

Hi busch

Can you please run Highjackthis again and post a new log, it is very important to have the top part that looks something like this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:07, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Please post the complete log into your next reply..
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Need Help with removing Vundo?

Unread postby busch » January 22nd, 2008, 2:28 pm

How is this?
Mike

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:26:23 PM, on 1/22/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\VIEWPOINT\Common\ViewpointService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\USER\Desktop\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {434BF110-6BD0-4126-F8BC-14A392F6A892} - C:\WINDOWS\System32\dqn.dll
O2 - BHO: (no name) - {536518E2-F6D4-45A6-AF8B-9F7FF06BB22E} - C:\WINDOWS\System32\urqpq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\System32\jkkhhhe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\PROGRAM FILES\HELLO\PICASACAPTURE.DLL
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\PROGRAM FILES\HELLO\PICASACAPTURE.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra button: @Home - {70CAD800-1548-11D8-B7B7-00D0B719E641} - http://home.excite.com (file missing) (HKCU)
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/c ... 21t0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/c ... dct2_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/c ... /ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potc_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://sunam1.sslcert11.com/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9504987953
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/install ... nstall.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLo ... ckLoan.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\PROGRAM FILES\VIEWPOINT\Common\ViewpointService.exe

--
End of file - 6343 bytes
busch
Active Member
 
Posts: 4
Joined: January 21st, 2008, 11:37 am

Re: Need Help with removing Vundo?

Unread postby DFW » January 23rd, 2008, 4:00 am

Your current installed Highjack this is the old beta one, follow instructions below.


We need you to remove programs from the Add/Remove Programs List

Please go to: Start Menu\Settings\Control Panel\Add/Remove Programs

Find and remove these programs (if they are present)


Highjackthis

My Quicksearch




Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Don't use the Analyse This button, its findings are dangerous if misinterpreted.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Close HJT for now


1.Download this combofix from one of the links below and save it to your desktop

Link 1
Link 2
Link 3

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: Combofix should not be used without supervision



Post the Combofix Log and a new HJT Log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Need Help with removing Vundo?

Unread postby busch » January 23rd, 2008, 12:27 pm

Here is the Combo Fix:
ComboFix 08-01-23.2 - USER 2008-01-23 11:14:19.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.171 [GMT -5:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\SJMPA9PC\www.broadcaster.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??crosoft\
C:\Program Files\outerinfo
C:\WINDOWS\system32\dqn.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\qpqru.ini
C:\WINDOWS\SYSTEM32\qpqru.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 11:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 11:07 . 2008-01-23 11:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 10:25 . 2008-01-21 10:25 <DIR> d-------- C:\VundoFix Backups
2008-01-20 11:23 . 2008-01-20 11:23 <DIR> d-------- C:\Program Files\Network Associates
2008-01-19 21:04 . 2008-01-19 21:04 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-19 19:02 . 2008-01-19 19:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\àppPatch
2008-01-19 19:02 . 2008-01-19 19:02 <DIR> d-------- C:\Temp\gTiis19
2008-01-19 19:01 . 2008-01-19 19:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-19 19:01 . 2008-01-19 19:01 <DIR> d-------- C:\Temp\cXzz9
2008-01-19 19:01 . 2008-01-19 19:01 <DIR> d-------- C:\Temp
2008-01-18 12:23 . 2008-01-18 12:50 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2008-01-18 12:18 . 2004-11-24 23:07 79,679 --a------ C:\WINDOWS\SYSTEM32\E_FLMAEA.DLL
2008-01-18 12:18 . 2003-05-20 21:27 64,000 --a------ C:\WINDOWS\SYSTEM32\E_FBCBAEA.DLL
2008-01-18 12:18 . 2000-06-06 20:01 34,304 --a------ C:\WINDOWS\SYSTEM32\E_FBCHAEA.DLL
2008-01-18 12:18 . 2001-08-17 14:03 24,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2008-01-18 12:18 . 2001-08-17 14:03 24,960 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbccgp.sys
2008-01-18 12:18 . 2001-08-17 14:00 24,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbprint.sys
2008-01-18 12:18 . 2001-08-17 14:00 24,832 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbprint.sys
2008-01-18 12:18 . 2001-08-17 13:53 13,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2008-01-18 12:18 . 2001-08-17 13:53 13,824 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbscan.sys
2008-01-18 12:17 . 2005-02-25 00:00 46,080 --a------ C:\WINDOWS\SYSTEM32\escimgd.dll
2008-01-18 12:17 . 2005-02-25 00:00 29,696 --a------ C:\WINDOWS\SYSTEM32\escwiad.dll
2008-01-18 12:17 . 2005-02-25 00:00 22,016 --a------ C:\WINDOWS\SYSTEM32\esccmd.dll
2008-01-18 11:32 . 2008-01-18 11:32 <DIR> d-------- C:\Program Files\MGI
2008-01-18 11:32 . 1998-08-15 16:07 2 --a------ C:\WINDOWS\PhotoSuite.ini
2008-01-17 15:44 . 2008-01-17 15:44 <DIR> d-------- C:\Program Files\Coupons
2008-01-17 15:44 . 2008-01-17 15:44 193,880 -rah----- C:\WINDOWS\SYSTEM32\cpnprt2.cid
2008-01-10 15:43 . 2008-01-10 15:43 <DIR> d-------- C:\Program Files\eMule
2008-01-05 15:25 . 2002-08-25 11:00 449,888 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\Cap7134.sys
2008-01-05 15:25 . 2002-01-31 16:50 90,112 -ra------ C:\WINDOWS\SYSTEM32\34dialog.dll
2008-01-05 15:25 . 2002-01-31 16:50 73,728 -ra------ C:\WINDOWS\SYSTEM32\34dd.dll
2008-01-05 15:25 . 2002-06-19 11:00 32,768 -ra------ C:\WINDOWS\SYSTEM32\Prop7134.dll
2008-01-05 14:13 . 2002-11-14 14:42 218,624 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2008-01-05 14:13 . 2002-11-14 14:42 218,624 --a------ C:\WINDOWS\SYSTEM32\dllcache\srrstr.dll
2008-01-05 14:11 . 2008-01-05 14:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-05 14:08 . 2008-01-05 14:08 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2008-01-05 14:08 . 2004-01-10 00:11 26,112 --a------ C:\WINDOWS\SYSTEM32\xpsp1hfm.exe
2008-01-04 22:53 . 2008-01-04 22:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-01-04 22:52 . 2004-07-01 17:08 361,984 --a------ C:\WINDOWS\SYSTEM32\dllcache\qmgr.dll
2008-01-04 22:52 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-01-04 22:52 . 2004-06-30 18:59 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2008-01-04 22:52 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-01-04 22:52 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\SYSTEM32\dllcache\qmgrprxy.dll
2008-01-04 22:52 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx2.dll
2008-01-04 22:52 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2008-01-04 22:52 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx3.dll
2008-01-04 22:52 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2008-01-04 22:50 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2008-01-04 22:50 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2008-01-04 22:50 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-01-04 22:50 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-01-04 22:50 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-01-04 22:50 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2008-01-04 22:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-01-04 22:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-01-04 22:50 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-01-03 14:56 . 2008-01-03 14:56 <DIR> d-------- C:\Program Files\GPLGS
2008-01-03 14:55 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\SYSTEM32\cpwmon2k.dll
2008-01-03 13:21 . 2008-01-03 13:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-02 18:52 . 2008-01-02 18:52 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-02 18:52 . 2007-07-27 03:26 37,768 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\OLD200.tmp
2008-01-02 18:52 . 2001-08-17 14:03 30,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wceusbsh.sys
2008-01-02 18:52 . 2001-08-17 14:03 30,208 --a------ C:\WINDOWS\SYSTEM32\dllcache\wceusbsh.sys
2008-01-01 20:46 . 2008-01-01 20:46 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-01 20:45 . 2008-01-01 20:45 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-01 20:45 . 2008-01-01 20:47 425 --ah----- C:\IPH.PH
2008-01-01 12:26 . 2008-01-01 12:26 <DIR> d--hs---- C:\Recycled
2008-01-01 11:30 . 2008-01-01 11:30 45,056 --ahs---- C:\Thumbs.db
2007-12-31 16:15 . 2007-12-31 16:16 <DIR> d-------- C:\Program Files\XXCLONE
2007-12-31 11:09 . 2002-01-31 16:50 90,112 --------- C:\WINDOWS\SYSTEM32\34COM.dll
2007-12-31 09:41 . 2001-04-09 23:11 79,998 --a------ C:\WINDOWS\SYSTEM32\atmenuxx.hlp
2007-12-31 09:41 . 2007-12-31 09:48 10,842 --ah----- C:\WINDOWS\SYSTEM32\ATMenuxx.GID
2007-12-31 09:38 . 2007-12-31 09:38 <DIR> d-------- C:\ATI
2007-12-30 17:11 . 2007-12-30 17:11 <DIR> d-------- C:\EPSONREG
2007-12-30 17:11 . 2007-12-30 17:11 196 --a------ C:\WINDOWS\PowerReg.dat
2007-12-30 17:09 . 2001-03-04 21:15 61,598 --a------ C:\WINDOWS\SYSTEM32\E_SL2354.DLL
2007-12-30 17:09 . 2000-06-06 20:01 34,304 --a------ C:\WINDOWS\SYSTEM32\EBPCHP.DLL
2007-12-30 17:09 . 2000-06-25 21:20 32,768 --a------ C:\WINDOWS\SYSTEM32\ECBTEG.DLL
2007-12-30 17:08 . 2007-12-30 17:08 23 --a------ C:\WINDOWS\EPS820.ini
2007-12-30 14:51 . 2001-08-17 14:03 21,760 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbstor.sys
2007-12-30 14:24 . 2007-12-30 14:24 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2007-12-30 14:23 . 2007-12-30 14:23 20,480 --a------ C:\WINDOWS\REGCARDS.OLD
2007-12-30 14:19 . 2007-12-30 14:19 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-30 14:14 . 2001-08-18 07:00 684,081 --a------ C:\WINDOWS\SYSTEM32\dllcache\pintlgnt.ime
2007-12-30 14:13 . 2001-08-18 07:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex
2007-12-30 14:12 . 2001-08-18 07:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2007-12-30 14:11 . 2001-08-18 07:00 10,096,640 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxcht.dll
2007-12-30 14:10 . 2001-08-17 22:36 2,134,528 --a------ C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpsnap.dll
2007-12-30 14:09 . 2007-12-30 14:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
2007-12-30 14:09 . 2001-08-18 07:00 264,704 --a------ C:\WINDOWS\SYSTEM32\dllcache\certwiz.ocx
2007-12-30 14:09 . 2001-08-18 07:00 249,344 --a------ C:\WINDOWS\SYSTEM32\dllcache\adsiis51.dll
2007-12-30 14:09 . 2001-08-18 07:00 94,720 --a------ C:\WINDOWS\SYSTEM32\dllcache\certmap.ocx
2007-12-30 14:09 . 2001-08-18 07:00 34,816 --a------ C:\WINDOWS\SYSTEM32\dllcache\admwprox.dll
2007-12-30 14:09 . 2001-05-22 21:15 20,540 --a------ C:\WINDOWS\SYSTEM32\dllcache\author.dll
2007-12-30 14:09 . 2001-05-22 21:15 20,540 --a------ C:\WINDOWS\SYSTEM32\dllcache\admin.dll
2007-12-30 14:09 . 2001-05-22 21:15 16,439 --a------ C:\WINDOWS\SYSTEM32\dllcache\author.exe
2007-12-30 14:09 . 2001-05-22 21:15 16,439 --a------ C:\WINDOWS\SYSTEM32\dllcache\admin.exe
2007-12-30 14:08 . 2007-12-30 14:08 5,050 --a------ C:\WINDOWS\LnkStub.dat
2007-12-30 13:51 . 2008-01-04 10:22 299,552 --a------ C:\WINDOWS\WMSysPrx.prx
2007-12-30 13:51 . 2007-12-30 14:26 25,065 --a------ C:\WINDOWS\SYSTEM32\wmpscheme.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 14:00 --------- d-----w C:\Program Files\epson
2007-12-15 20:06 --------- d-----w C:\Program Files\Web Album Generator
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2007-11-29 22:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-29 22:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-11-29 22:30 129,784 ------w C:\WINDOWS\SYSTEM32\pxafs.dll
2007-11-29 22:30 120,056 ------w C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-11-29 22:30 118,520 ------w C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-11-28 19:38 --------- d-----w C:\Program Files\FLV Player
2005-02-09 03:32 198,514 ----a-w C:\Program Files\Common Files\ISO1.nri
2003-10-08 18:10 266 --sh--w C:\Program Files\desktop.ini
2003-10-08 18:10 11,079 ---h--w C:\Program Files\folder.htt
2005-02-17 16:17 10,022 --sha-w C:\WINDOWS\SYSTEM\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{536518E2-F6D4-45A6-AF8B-9F7FF06BB22E}]
C:\WINDOWS\System32\urqpq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2001-08-18 12:00 8322560 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-18 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-19 20:21 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 14:56 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoClose"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2001-10-10 15:59 270336 C:\WINDOWS\SYSTEM32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2001-10-16 13:10 258118 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\urqpq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRemote]
C:\Program Files\InterVideo\WinDVR\WinRemote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINSCHEDULER]
C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-20 16:30 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE" -quiet
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"NBJ"="C:\PROGRAM FILES\AHEAD\NERO BACKITUP\NBJ.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo 820 Series"=C:\WINDOWS\SYSTEM\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
"TV Card Remote Control Applet"=C:\WINDOWS\713XRMT.EXE
"ICH Synth"=eusexe.exe
"SBMX"=C:\WINDOWS\SYSTEM32\SBMX.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"WINSCHEDULER"=C:\PROGRA~1\INTERV~1\WINDVR\WINSCH~1.EXE
"WinRemote"="C:\Program Files\InterVideo\WinDVR\WinRemote.exe"
"EPSON Stylus CX4200 Series"=C:\WINDOWS\SYSTEM\E_S6I2E1.EXE /P26 "EPSON Stylus CX4200 Series" /O7 "EPUSB1:" /M "Stylus CX4200"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"mdac_runonce"=C:\WINDOWS\SYSTEM32\RUNONCE.EXE
"AVG7_CC"=C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
"AVG7_EMC"=C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
"AVG7_AMSVR"=C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"LoadQM"=loadqm.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"RegShave"=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\PROGRAM FILES\VIEWPOINT\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ati2mpad;ati2mpad;C:\WINDOWS\System32\DRIVERS\ati2mpad.sys [2002-02-18 14:19]
R3 ess;ESS Audio Driver (WDM);C:\WINDOWS\System32\drivers\ess.sys [2001-08-17 12:19]
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\System32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S2 Cap7134;TV Capture Card 7130;C:\WINDOWS\System32\DRIVERS\Cap7134.sys [2002-08-25 11:00]
S3 PhTVTune;TV Capture Card tv tuner;C:\WINDOWS\System32\DRIVERS\PhTVTune.sys [2002-07-16 11:00]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A5CAB25-2E2E-4C2D-7C0C-3F658B6D567A}]
C:\WINDOWS\svchost.exe 2

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-01-23 14:00:02 C:\WINDOWS\Tasks\m02[1].job"
- C:\WINDOWS\Temporary Internet Files\Content.IE5\MFAT8VY7\m02[1].mpeg
"2008-01-23 14:00:02 C:\WINDOWS\Tasks\get_video[1].job"
- C:\WINDOWS\Temporary Internet Files\Content.IE5\D5FIO1GQ\get_video[1]
"2008-01-23 14:00:02 C:\WINDOWS\Tasks\CarrieAnn_Inaba_STF338[1].job"
- C:\WINDOWS\Temporary Internet Files\Content.IE5\MFAT8VY7\CarrieAnn_Inaba_STF338[1].dat
"2008-01-23 14:00:02 C:\WINDOWS\Tasks\Slut_Wife_Amy[1].job"
- C:\WINDOWS\Temporary Internet Files\Content.IE5\YOOQ2VO6\Slut_Wife_Amy[1].wmv
"2007-12-30 19:24:34 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 11:20:53
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Here is the HiJack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26, on 2008-01-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\VIEWPOINT\Common\ViewpointService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {536518E2-F6D4-45A6-AF8B-9F7FF06BB22E} - C:\WINDOWS\System32\urqpq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\PROGRAM FILES\HELLO\PICASACAPTURE.DLL
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\PROGRAM FILES\HELLO\PICASACAPTURE.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @Home - {70CAD800-1548-11D8-B7B7-00D0B719E641} - http://home.excite.com (file missing) (HKCU)
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/c ... 21t0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/c ... dct2_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/c ... /ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potc_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://sunam1.sslcert11.com/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9504987953
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/install ... nstall.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLo ... ckLoan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\PROGRAM FILES\VIEWPOINT\Common\ViewpointService.exe

--
End of file - 5606 bytes
busch
Active Member
 
Posts: 4
Joined: January 21st, 2008, 11:37 am

Re: Need Help with removing Vundo?

Unread postby DFW » January 24th, 2008, 4:37 am

Hi busch


You are currently using an unpatched version of Windows XP.
Before attempting further removal of malware, it is CRITICAL that you update to Service Pack 1a, so we are both not wasting our time.


You will need to Validate your copy of Windows XP here first: http://www.microsoft.com/resources/howt ... fault.mspx
Click on "Run the Windows Validation Assistant". Let me know the results.

Update Your Windows XP If all is ok.

Get SP1a here : http://www.microsoft.com/windowsxp/down ... fault.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.

Do Not Install SP2 Untill You Are Clean

Also it appears that you do not have a Firewall, are you using the windows or a Hardware Firewall


Now please post a new HJT Log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Need Help with removing Vundo?

Unread postby DFW » January 26th, 2008, 6:03 pm

Hi busch

How are you getting on with this, if you need help please ask,
please keep in mind if a topic goes unanswered for 5 days then it's policy to close them.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Need Help with removing Vundo?

Unread postby Elrond » January 30th, 2008, 5:03 pm

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 5 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware