Free Malware Removal Forum

[GarrySelman]

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: asvafutd.dll
Status: INFECTED/MALWARE
MD5 8816ab889f5eef6c0388d189e44ca00c
Packers detected: VIRTUMONDE, PE_PATCH.UPX, UPX

Scanner results
Scan taken on 28 Mar 2007 20:30:47 (GMT)
AntiVir Found TR/Vundo.Gen
ArcaVir Found Adware.Virtumonde.Ar
Avast Found nothing
AVG Antivirus Found Generic.XYE
BitDefender Found Trojan.Virtumod.JB
ClamAV Found Trojan.Packed-5
Dr.Web Found Trojan.Virtumod
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.ar (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.ar
NOD32 Found Win32/Adware.Virtumonde.FT application
Norman Virus Control Found W32/Virtumonde.FVM
Panda Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Virtumonde.ar

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: Result.exe (MD5: 7bf98cc1fcb51afe79ab9454c949f035, size: 525644 bytes), detected by:

Scanner Malware name
AntiVir TR/Agent.aox
ArcaVir X
Avast Win32:Small-DQX
AVG Antivirus X
BitDefender Trojan.MulDrop.JA
ClamAV Trojan.Spy-2857
Dr.Web Trojan.MulDrop.5822
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Bifrose.GLE
Panda Antivirus X
VirusBuster X
VBA32 Trojan.CC-Joiner.1_5_2


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

[GarrySelman]

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: rejoice2007.exe
Status: INFECTED/MALWARE
MD5 34752876a4fd39dd70363312599064bb
Packers detected: NSPACK, ASPACK

Scanner results
Scan taken on 28 Mar 2007 20:36:45 (GMT)
AntiVir Found TR/Delphi.Downloader.Gen
ArcaVir Found nothing
Avast Found Win32:Delf-DNR
AVG Antivirus Found nothing
BitDefender Found Generic.Graybird.F595AD37
ClamAV Found nothing
Dr.Web Found BackDoor.Pigeon.775
F-Prot Antivirus Found Possibly a new variant of W32/PWStealer.gen1
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found Packed/NSPack
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: ScrExtraName.exe (MD5: 254301bd99c3dffca0d49cce581e0a2a, size: 468992 bytes), detected by:

Scanner Malware name
AntiVir TR/Dldr.Swizzor.Gen
ArcaVir X
Avast X
AVG Antivirus Downloader.Obfuskated
BitDefender Trojan.FatObfus.Gen
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.Obfuscated.en
Fortinet X
Kaspersky Anti-Virus Trojan.Win32.Obfuscated.en
NOD32 X
Norman Virus Control X
Panda Antivirus X
VirusBuster Adware.Lop.Gen
VBA32 MalwareScope.Trojan-Downloader.Obfuscated.2


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

[Susan528]

Hello Garry,

I am looking forward to seeing the results of rapport.txt.

The files submitted to Jotti appear to be bad. Please do the following:

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Please go to the link above and scroll down so that you see the board with the headings -subjects, started by, replies, etc. You will see a tab “New Topicâ€

[GarrySelman]

SmitFraudFix v2.158

Scan done at 22:31:05.18, 28/03/2007
Run from C:\Documents and Settings\Garry\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Garry


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Garry\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Garry\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.hornby.com/img/lvestm/pic_instr.jpg"
"SubscribedURL"="http://www.hornby.com/img/lvestm/pic_instr.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[GarrySelman]

Sucessfully posted rejoice2007.exe to spykiller forum.

[Susan528]

Thanks Garry for uploading that file.

Please do the following:

Updating Java

• Download the latest version of Java Runtime Environment (JRE) 6.0.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\asvafutd.dll",setvm
O23 - Service: svchost - Unknown owner - -C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice2007.exe (file missing)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\system32\asvafutd.dll<=file
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice2007.exe<=fileExit Explorer.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-spyware, and run a full scan.

• Click on Scanner
• Click on Settings
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.

If AVG Anti-spyware finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

• Click Save Report button
• Save the report to your Desktop

Close AVG Anti-spyware and Reboot in Normal Mode.

Post (reply) with a fresh HijackThis log and the AVG Anti-Spyware log.

[GarrySelman]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 05:41:31 29/03/2007

+ Scan result:



C:\System Volume Information\_restore{42F5526E-93B8-4E10-8CD8-737E66777469}\RP1\A0000046.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{42F5526E-93B8-4E10-8CD8-737E66777469}\RP1\A0000047.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{42F5526E-93B8-4E10-8CD8-737E66777469}\RP1\A0000045.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{42F5526E-93B8-4E10-8CD8-737E66777469}\RP1\A0000048.exe -> Adware.ZenoSearch : No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\svchost -> Not-A-Virus.Monitor.Win32.AdvancedKEYLOGGER : No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\svchost\Enum -> Not-A-Virus.Monitor.Win32.AdvancedKEYLOGGER : No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\svchost\Security -> Not-A-Virus.Monitor.Win32.AdvancedKEYLOGGER : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@oasc06006.247realmedia[2].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@sonyeurope.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@admarketplace[1].txt -> TrackingCookie.Admarketplace : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@www.adobe[1].txt -> TrackingCookie.Adobe : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@adviva[1].txt -> TrackingCookie.Adviva : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt -> TrackingCookie.Bfast : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@bfast[2].txt -> TrackingCookie.Bfast : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@clickbank[2].txt -> TrackingCookie.Clickbank : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@connextra[9].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@www.cheappatiodoors.com.0.fb.dbbsrv[2].txt -> TrackingCookie.Dbbsrv : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wfkociczihp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wfliqpdzslq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wfmisodpkkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wgmyclcjakp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wgmyehcpeco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wjl4qpd5ego.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wjliqidzwhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wjlyshcjihq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wjmygndpilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@as1.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@hypertracker[2].txt -> TrackingCookie.Hypertracker : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@search.live[2].txt -> TrackingCookie.Live : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@image.masterstats[1].txt -> TrackingCookie.Masterstats : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@data1.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@data2.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@data3.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@www.paypal[1].txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@uk.real[1].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@anad.tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@anat.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@m.webtrends[1].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@yadro[1].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Garry\Cookies\garry@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
C:\Program Files\thriXXX\3D SexVilla\Binaries\3DSexVilla-017-001-start.exe -> Trojan.QQPass.ly : No action taken.
C:\System Volume Information\_restore{42F5526E-93B8-4E10-8CD8-737E66777469}\RP1\A0000050.vbs -> Trojan.Small : No action taken.


::Report end

[GarrySelman]

Logfile of HijackThis v1.99.1
Scan saved at 05:40:45, on 30/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Logitech\MouseWare\System\Em_exec.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [PRONoMgr.exe] -C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] -rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [REGSHAVE] -C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NVRTCLK] -C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioHQ] -C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] -C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Logitech Utility] -Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] -"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [SsAAD.exe] -C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DataLayer] -C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] -C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eglblukc.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] -C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Live Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - -C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Unknown owner - -C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

[Susan528]

All the entries from the AVG log have “No action takenâ€

[GarrySelman]

Hi. I may not have had AVG clean, so I went back and did it again, Below are the logs for AVG AntiSpy and Hijackthis.
Then I'll have a go at the next things you gave me to do. Cheers, Garry.




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:47:05 01/04/2007

+ Scan result:



C:\RECYCLER\S-1-5-21-436374069-1647877149-725345543-500\Dc1.dll -> Adware.Virtumonde : Ignored.
C:\RECYCLER\S-1-5-21-436374069-1647877149-725345543-500\Dc2.exe -> Backdoor.Hupigon.enw : Cleaned with backup (quarantined).
C:\Documents and Settings\Garry\Cookies\garry@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@adviva[1].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@connextra[4].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wfkouidpgcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wfmiohcjibp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wfmisodpkkp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wfmycncjkgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6whkiaiczkdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wjliqidzwhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@e-2dj6wjlyshcjihq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@ehg-littlewoods.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@ehg-wmc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Garry\Cookies\garry@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{42F5526E-93B8-4E10-8CD8-737E66777469}\RP5\A0000416.exe -> Trojan.QQPass.ly : Cleaned with backup (quarantined).


::Report end











Logfile of HijackThis v1.99.1
Scan saved at 13:16:53, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17E61077-7431-47DA-A165-CE1AA4EB4464} - C:\WINDOWS\system32\oqflxrhg.dll (file missing)
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\khfggge.dll
O2 - BHO: (no name) - {4E907909-FD98-470A-8397-DC3520179559} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tebcsccq.dll (file missing)
O2 - BHO: (no name) - {6CAB442D-3ED9-48A6-AC19-D27D31FCFC3A} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C2334977-B955-44CC-8114-717A9F455095} - C:\WINDOWS\system32\awvts.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] -C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] -rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [REGSHAVE] -C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NVRTCLK] -C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioHQ] -C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] -C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Logitech Utility] -Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [SsAAD.exe] -C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DataLayer] -C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] -C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eglblukc.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] -C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Live Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll (file missing)
O20 - Winlogon Notify: khfggge - C:\WINDOWS\SYSTEM32\khfggge.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)
O20 - Winlogon Notify: rqrspop - C:\WINDOWS\SYSTEM32\rqrspop.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - -C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Unknown owner - -C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

[GarrySelman]

AVG Anti Virus resident shield keeps picking up threats. It seems to be healing them ok and sending them to the virus vault. I've then been empying them from there. When all the problems first started it diabled all my security including un-installing or al least disableing ZoneAlarm firewall. I do have windows firewall running, but should I re-install ZA? Would that help with the resident shield attacks?, Garry.

[Susan528]

Yes, I would install ZoneAlarm again. The Windows Firewall should be off with the Zone Alarm firewall turned on.

Please test your firewall and make sure it is working properly.
Test Firewall

STEP 1.
======
Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt in your next reply.[/b]

STEP 2.
======
Deckard’s System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Also be sure to post (reply) with the contents of C:\vundofix.txt

[GarrySelman]

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 01:51:15 02/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\dyypkgou.ini
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\khfggge.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\rqrspop.dll
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\uogkpyyd.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dyypkgou.ini
C:\WINDOWS\system32\dyypkgou.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfggge.dll
C:\WINDOWS\system32\khfggge.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrspop.dll
C:\WINDOWS\system32\rqrspop.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\uogkpyyd.dll
C:\WINDOWS\system32\uogkpyyd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

[GarrySelman]

During the re-boot after VundoFix shut the pc down< I got an error message:

Error loading C:\WINDOWS\system32\ougkpyyd.dll

This is one of the files VundoFix deleted. Does this mean the program that uses it is still trying to run?

I'll leave that one up to you and get on with the next bit, Deckard’s System Scanner. Garry.

[GarrySelman]

Deckard's System Scanner v20070328.36
Run by Garry on 2007-04-02 at 02:46:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2007-04-02 01:46:28 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2007-04-01 02:34:48 UTC - RP8 - System Checkpoint
7: 2007-03-31 01:52:08 UTC - RP7 - System Checkpoint
6: 2007-03-30 01:50:36 UTC - RP6 - System Checkpoint
5: 2007-03-29 01:25:43 UTC - RP5 - Installed Java(TM) SE Runtime Environment 6 Update 1


-- First Restore Point --
1: 2007-03-28 00:37:17 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Garry.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 02:46:36, on 02/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Garry\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Garry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17E61077-7431-47DA-A165-CE1AA4EB4464} - C:\WINDOWS\system32\oqflxrhg.dll (file missing)
O2 - BHO: (no name) - {4E907909-FD98-470A-8397-DC3520179559} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tebcsccq.dll (file missing)
O2 - BHO: (no name) - {6CAB442D-3ED9-48A6-AC19-D27D31FCFC3A} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C2334977-B955-44CC-8114-717A9F455095} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {C8D341ED-587E-4434-8C09-EFDF39D276DE} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] -C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] -rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [REGSHAVE] -C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NVRTCLK] -C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioHQ] -C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] -C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Logitech Utility] -Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [SsAAD.exe] -C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DataLayer] -C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] -C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uogkpyyd.dll",setvm
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] -C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Live Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - -C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Unknown owner - -C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070328-181218-245 O2 - BHO: (no name) - {C38AC86C-0192-46D9-9830-85D02A5A98F2} - C:\WINDOWS\system32\opnlklm.dll
backup-20070328-181218-256 O2 - BHO: (no name) - {B5AD515B-D043-487B-95C7-22B9232807De} - C:\WINDOWS\system32\yupottre.dll (file missing)
backup-20070328-181218-431 O2 - BHO: (no name) - {C2334977-B955-44CC-8114-717A9F455095} - C:\WINDOWS\system32\awvts.dll (file missing)
backup-20070328-181218-599 O2 - BHO: (no name) - {FB32879C-BE8D-4015-A450-E465441EBDD1} - C:\WINDOWS\system32\jkkli.dll (file missing)
backup-20070328-181218-727 O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\bkeudpet.dll",setvm
backup-20070328-181218-734 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinlodv.exe OLI001
backup-20070328-181218-749 O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll (file missing)
backup-20070328-181218-807 O2 - BHO: (no name) - {17E61077-7431-47DA-A165-CE1AA4EB4464} - C:\WINDOWS\system32\scvwfxxu.dll (file missing)
backup-20070328-181218-866 O4 - HKLM\..\Run: [{69-99-90-01-ZN}] -c:\windows\system32\nkdsregr.exe OLI001
backup-20070328-181219-252 O20 - Winlogon Notify: fccbxww - C:\WINDOWS\SYSTEM32\fccbxww.dll
backup-20070328-181219-367 O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll (file missing)
backup-20070328-181220-149 O20 - Winlogon Notify: opnlklm - C:\WINDOWS\SYSTEM32\opnlklm.dll
backup-20070329-023011-635 O23 - Service: svchost - Unknown owner - -C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice2007.exe (file missing)
backup-20070329-023011-855 O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\asvafutd.dll",setvm
backup-20070401-133113-284 O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eglblukc.dll",setvm

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 imagedrv - c:\windows\system32\drivers\imagedrv.sys
R0 imagesrv - c:\windows\system32\drivers\imagesrv.sys
R1 CTSYN (Creative S/W Synth) - c:\windows\system32\drivers\ctsyn.sys
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys
R2 STEC3 - c:\windows\system32\stec3.sys
R2 WIBUKEY (WIBU-KEY Kernel Driver) - c:\windows\system32\drivers\wibukey.sys
R3 LCcfltr (Logitech USB Filter Driver) - c:\windows\system32\drivers\lccfltr.sys
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys
R3 USR1806V (U.S. Robotics Voice Modem Driver 1806) - c:\windows\system32\drivers\usr1806v.sys

S0 MFX - c:\windows\system32\drivers\mfx.sys
S0 XMS1563K - c:\windows\system32\drivers\xms1563k.sys
S2 Ca533av (Icatch(IV) Video Camera Device) - c:\windows\system32\drivers\ca533av.sys
S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys
S3 ALCXSENS (Service for WDM 3D Audio Driver) - c:\windows\system32\drivers\alcxsens.sys
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys
S3 BthEnum (Bluetooth Request Block Driver) - c:\windows\system32\drivers\bthenum.sys
S3 BthPan (Bluetooth Device (Personal Area Network)) - c:\windows\system32\drivers\bthpan.sys
S3 BTHPORT (Bluetooth Port Driver) - c:\windows\system32\drivers\bthport.sys
S3 BTHUSB (Bluetooth Radio USB Driver) - c:\windows\system32\drivers\bthusb.sys
S3 GVCplDrv - c:\windows\system32\drivers\gvcpldrv.sys
S3 L8042PR2 (Logitech PS/2 Mouse Filter Driver) - c:\windows\system32\drivers\l8042pr2.sys
S3 MSDV (Microsoft DV Camera and VCR) - c:\windows\system32\drivers\msdv.sys
S3 Nokia USB Port - c:\windows\system32\drivers\nmwcdcj.sys
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys
S3 StillCam (Still Serial Digital Camera Driver) - c:\windows\system32\drivers\serscan.sys
S3 umpusbxp (UPort 1 on Nokia Adapter) - c:\windows\system32\drivers\umpusbxp.sys
S3 usb2vcom (USB Data Cable) - c:\windows\system32\drivers\usb2vcom.sys
S3 USBCamera (Icatch(IV) Still Camera Device) - c:\windows\system32\drivers\bulk533.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs

S2 btwdins (Bluetooth Service) - -c:\program files\widcomm\bluetooth software\bin\btwdins.exe (file missing)
S3 IDriverT (InstallDriver Table Manager) - -"c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe" (file missing)
S3 iPod Service - -"c:\program files\ipod\bin\ipodservice.exe" (file missing)
S3 MSCSPTISRV - -"c:\program files\common files\sony shared\avlib\mscsptisrv.exe" (file missing)
S3 NetSvc (Intel NCS NetService) - -c:\program files\intel\ncs\sync\netsvc.exe (file missing)
S3 PACSPTISVR - -"c:\program files\common files\sony shared\avlib\pacsptisvr.exe" (file missing)
S3 SPTISRV (Sony SPTI Service) - -"c:\program files\common files\sony shared\avlib\sptisrv.exe" (file missing)
S3 SSScsiSV (SonicStage SCSI Service) - -c:\program files\common files\sony shared\avlib\ssscsisv.exe (file missing)
S3 usnsvc (Messenger Sharing USN Journal Reader service) - c:\windows\system32\svchost.exe -k usnsvc
S3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - -"c:\program files\windows media player\wmpnetwk.exe" (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-04-01 08:51:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-03-02 and 2007-04-02 -----------------------------

2007-04-02 01:51:15 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-04-02 01:30:23 75512 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2007-04-02 01:29:53 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-02 01:14:48 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-04-01 14:25:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-04-01 14:06:12 76412 --a------ C:\WINDOWS\system32\kefoghur.dll
2007-04-01 12:45:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder<SHARE-~1>
2007-03-29 02:25:48 0 d-------- C:\Program Files\Common Files\Java
2007-03-28 22:31:19 4384 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-28 22:30:42 79360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-28 22:30:42 40960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-28 22:30:42 135168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-28 22:30:42 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-28 22:30:42 53248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-28 22:30:42 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-28 22:13:54 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-27 14:20:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-25 14:00:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-03-25 09:30:24 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-21 23:46:40 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-03-18 02:27:20 26552 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-03-18 02:16:53 0 d-------- C:\Program Files\SlySoft
2007-03-18 02:15:16 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-03-18 02:15:12 8464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-05 19:01:09 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst<PLAYFI~1>
2007-03-03 21:27:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-03-03 20:29:52 0 d--hs---- C:\WINDOWS\ftpcache
2007-03-03 17:27:35 0 d-------- C:\My Games<MYGAME~1>
2007-03-03 17:27:27 0 d-------- C:\My Download Files<MYDOWN~1>
2007-03-03 17:26:06 774144 --a------ C:\Program Files\RngInterstitial.dll<RNGINT~1.DLL>


-- Find3M Report ---------------------------------------------------------------

2007-04-02 01:31:24 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-02 01:22:19 0 d-------- C:\Documents and Settings\Garry\Application Data\AVG7
2007-03-29 02:26:43 0 d-------- C:\Program Files\Java
2007-03-22 02:54:03 0 d-------- C:\Program Files\Common Files\Real
2007-03-19 22:17:36 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-19 18:16:16 0 d---s---- C:\Documents and Settings\Garry\Application Data\Microsoft<MICROS~1>
2007-03-07 03:09:06 0 d-------- C:\Program Files\Google
2007-03-03 21:34:29 0 d-------- C:\Program Files\Real
2007-02-23 23:22:55 0 d-------- C:\Documents and Settings\Garry\Application Data\SlySoft
2007-02-23 21:59:43 0 d-------- C:\Program Files\YAMP
2007-02-22 01:23:59 0 d-------- C:\Program Files\Winamp
2007-02-11 13:35:29 0 d-------- C:\Program Files\CloneDVD
2007-02-06 23:37:05 0 d-------- C:\Program Files\DivX
2007-02-04 23:22:37 0 d-------- C:\Program Files\PC Doc Pro<PCDOCP~1>
2007-02-04 10:27:07 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-02-01 05:56:06 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
2007-02-01 05:56:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
2007-02-01 05:56:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
2007-02-01 05:56:04 639066 --a------ C:\WINDOWS\system32\DivX.dll
2007-01-31 22:27:01 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-01-31 00:15:10 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
2007-01-30 06:03:40 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 06:03:34 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 06:03:34 116472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 06:03:34 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-01-30 06:03:26 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 06:03:26 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 05:56:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-30 05:56:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 05:56:54 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-01-30 05:56:52 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-30 05:56:52 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-30 05:56:52 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-01-30 05:56:52 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-30 05:56:52 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="-C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRONoMgr.exe"="-C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"BluetoothAuthenticationAgent"="-rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"REGSHAVE"="-C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"NVRTCLK"="-C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"NeroFilterCheck"="-C:\\WINDOWS\\system32\\NeroCheck.exe"
"AudioHQ"="-C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="-C:\\Program Files\\Creative\\Launcher\\CTLauncher.exe"
"Logitech Utility"="-Logi_MwX.Exe"
"Share-to-Web Namespace Daemon"="-C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SoundMan"="-SOUNDMAN.EXE"
"SsAAD.exe"="-C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"DataLayer"="-C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"PCSuiteTrayApplication"="-C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"NvCplDaemon"="-RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="-nwiz.exe /install"
"NvMediaCenter"="-RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="-\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\uogkpyyd.dll\",setvm"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{C38AC86C-0192-46D9-9830-85D02A5A98F2}"=""
"{182B90A3-F372-438A-800C-6814B4DE417B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=dword:00000000
"NoClose"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.hornby.com/img/lvestm/pic_instr.jpg

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-04-02 at 02:47:13 ---------