Free Malware Removal Forum

[gliese]

I've been struggling with Virtumundo/Vundo (and a few subsequent trojans because apparently I'm an utter twit when it comes to computer protection) for about a month now, so finally I've turned to you guys for help.

Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:30 PM, on 17/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B1D7993-5D8B-4886-896E-30334BAB2791} - (no file)
O2 - BHO: (no name) - {1AB60AC6-2C84-4A95-9853-92A8707AA830} - (no file)
O2 - BHO: (no name) - {1AE26144-E2D5-4389-B327-4CE306BC77D2} - C:\Windows\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {23A58880-E911-43E4-BA53-685F348A540E} - (no file)
O2 - BHO: (no name) - {47AE32BC-FE16-479C-B77F-D7E64B843A55} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A3AB3982-F132-4305-A20B-5C8C8BCDD5FE} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: (no name) - {BAC7B78A-51FF-43CD-BB69-D0970CF69860} - C:\Windows\system32\vtsqq.dll
O2 - BHO: (no name) - {BE6F0DE4-4ED6-48C1-B5D2-67C71C6EC233} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\efcca.dll,#1
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [147fba20] "rundll32.exe" "C:\Windows\system32\dwyicktb.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BM174c89bc] Rundll32.exe "C:\Windows\system32\qburonie.dll",s
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O20 - Winlogon Notify: kyrdlvxl - kyrdlvxl.dll (file missing)
O20 - Winlogon Notify: njjazjot - C:\Windows\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

[ktreffin]

Hi <user>, Welcome to Malware Removal!

My name is Ken, on these forums I am known as ktreffin. I will be helping you with your current problem. Please note that I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

HiJackThis logs do take some time to review and research. I would appreciate it if while you are waiting, you could please do the following for me:

Please make an Uninstall List using HiJackThis.

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

As we work together to resolve your problem, please read these instructions carefully. You may wish to print them off or copy them to Notepad.

Lastly, please keep these points in mind:

• If you have questions, please DON'T hesitate to ask!
• The instructions I give are specific to your current problem and should not be used on other systems.
• Please post your replies only to this topic, and please DO NOT start a new thread.
• Since there may be multiple issues with your system, please continue to follow this thread until I have given you an "All Clean!"

I am reviewing your log now, and will be back with you shortly. Thank you for your patience.

Ken

[gliese]

Thanks Ken!

Here's my uninstall list:

32 Bit HP CIO Components Installer
ABC (remove only)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.2
Apple Software Update
AVG Anti-Spyware 7.5
Conexant HD Audio
ESU for Microsoft Vista
FrostWire 4.13.4
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent
HijackThis 2.0.2
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Participation Program 9.0
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Quick Launch Buttons 6.20 B1
HP Smart Web Printing
HP Solution Center 9.0
HP Total Care Advisor
HP Update
HP User Guides 0057
HPNetworkAssistant
HPSSupply
Java(TM) SE Runtime Environment 6
LiveUpdate 3.2 (Symantec Corporation)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.12)
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
NVIDIA Drivers
PhotoScape
QuickTime
Rhapsody Player Engine
Roxio Activation Module
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
SmartAudio
Spy Sweeper
Synaptics Pointing Device Driver
Webroot Desktop Firewall
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinRAR archiver

[ktreffin]

Hi gliese,

It does appear that you are still infected. Please do the following:

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

FrostWire 4.13.4

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall FrostWire 4.13.4, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Step 1: Disable SpySweeper
Please disable SpySweeper as it may interfere with the fix.

• Open SpySweeper
• Click Options
• Click program options
• Uncheck load at windows startup
• On the left click shields and uncheck all there
• Uncheck home page shield
• Uncheck automaticly restore default without notifiction
• Close SpySweeper
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in SpySweeper.

Step 2: Disable Windows Defender
Please disable Windows Defender Real Time Protection as it may interfere with the fix. To disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Click Save
• Close Windows Defender
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable Windows Defender Real Time Protection.

Step 3: Download and Run ComboFix
Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

For information regarding this download, please visit this webpage:
http://www.bleepingcomputer.com/combofi ... e-combofix

Note: It is important that it is saved directly to your desktop!

Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report will also be saved in C:\ComboFix.txt

Step 4: Things to put in your next reply

Please post the following in your next reply:

• A New Hijack This Log
• Contents of the Combofix.txt

Thanks,
Ken

[gliese]

Thanks, I'll probably remove Frostwire as I haven't been using it frequently enough to warrant keeping it.

Here's my new logs:

ComboFix

ComboFix 08-03-21.1 - Beth 2008-03-21 17:25:05.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.368 [GMT -6:00]
Running from: C:\Users\Beth\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\BM174c89bc.xml
C:\Windows\pskt.ini
C:\Windows\system32\AutoRun.inf
C:\Windows\system32\fkkcisxy.dll
C:\Windows\System32\gqnehmxm.ini
C:\Windows\system32\jhwtoxlr.dll
C:\Windows\system32\jkvctdxq.dll
C:\Windows\system32\kdrhrjov.dll
C:\Windows\system32\kejcmelh.dll
C:\Windows\system32\kuokjlkw.dll
C:\Windows\System32\lyeydgon.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\mxmhenqg.dll
C:\Windows\system32\ocneejsw.dll
C:\Windows\system32\opupsqmr.dll
C:\Windows\System32\oruvw.ini
C:\Windows\System32\oruvw.ini2
C:\Windows\System32\pfbonvta.ini
C:\Windows\system32\qburonie.dll
C:\Windows\System32\qqstv.ini
C:\Windows\System32\qqstv.ini2
C:\Windows\system32\rxvdsipv.dll
C:\Windows\system32\ssyuijmx.dll
C:\Windows\system32\ujpkjlpx.dll
C:\Windows\system32\urhxwjrk.dll
C:\Windows\System32\vojrhrdk.ini
C:\Windows\system32\vtsqq.dll
C:\Windows\System32\vvuglwwd.ini
C:\Windows\System32\wgosfbbn.ini
C:\Windows\system32\wvuro.dll
C:\Windows\System32\xmivxaqi.ini
C:\Windows\system32\ygrjhnrt.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 23:19 27,240 ----a-w C:\Users\Beth\AppData\Roaming\nvModes.dat
2008-03-21 23:12 --------- d-----w C:\Program Files\DOSBox-0.72
2008-03-20 23:14 --------- d-----w C:\Program Files\Stone Prophet
2008-03-20 21:40 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-03-20 21:36 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-03-20 21:29 --------- d-----w C:\Users\Beth\AppData\Roaming\DAEMON Tools
2008-03-20 19:23 --------- d-----w C:\Users\Beth\AppData\Roaming\FrostWire
2008-03-19 21:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-18 21:55 --------- d-----w C:\Program Files\PhotoScape
2008-03-18 19:55 --------- d-----w C:\Users\Beth\AppData\Roaming\HP
2008-03-18 19:50 --------- d-----w C:\ProgramData\WEBREG
2008-03-18 19:49 --------- d-----w C:\ProgramData\HP
2008-03-18 19:28 --------- d-----w C:\Users\Beth\AppData\Roaming\HPAppData
2008-03-18 19:28 --------- d-----w C:\ProgramData\HPSSUPPLY
2008-03-18 19:28 --------- d-----w C:\Program Files\HP
2008-03-18 19:24 --------- d-----w C:\ProgramData\HP Product Assistant
2008-03-18 19:23 --------- d-----w C:\Program Files\Common Files\HP
2008-03-18 19:21 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-18 19:19 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-03-17 22:54 --------- d-----w C:\Program Files\Trend Micro
2008-03-14 09:18 --------- d-----w C:\Program Files\Windows Mail
2008-03-14 09:11 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-02 19:14 --------- d-----w C:\Users\Beth\AppData\Roaming\.ABC
2008-02-28 19:29 --------- d-----w C:\Users\Beth\AppData\Roaming\Download Manager
2008-02-25 22:13 --------- d-----w C:\Program Files\Ubi Soft
2008-02-22 19:38 --------- d-----w C:\Program Files\Jollygood Games
2008-02-20 23:18 --------- d-----w C:\Program Files\QuickTime
2008-02-20 23:14 --------- d-----w C:\ProgramData\Apple Computer
2008-02-20 23:11 --------- d-----w C:\ProgramData\Apple
2008-02-20 23:11 --------- d-----w C:\Program Files\Apple Software Update
2008-02-20 17:55 --------- d-----w C:\Users\Beth\AppData\Roaming\InstallShield
2008-02-18 00:17 --------- d-----w C:\Users\Beth\AppData\Roaming\Grisoft
2008-02-18 00:17 --------- d-----w C:\ProgramData\Grisoft
2008-02-17 21:39 --------- d-----w C:\Program Files\Webroot
2008-02-17 21:35 --------- d-----w C:\ProgramData\Webroot
2008-02-17 21:19 --------- d-----w C:\Program Files\Windows Collaboration
2008-02-17 21:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:18 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-17 21:18 --------- d-----w C:\Program Files\earthlink totalaccess
2008-02-17 20:01 --------- d-----w C:\Program Files\Enigma Software Group
2008-02-17 06:09 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-02-17 06:09 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-17 06:08 --------- d-----w C:\Users\Beth\AppData\Roaming\SUPERAntiSpyware.com
2008-02-17 05:25 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2008-02-15 19:51 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-15 18:44 --------- d-----w C:\ProgramData\Trend Micro
2008-02-15 02:32 --------- d-----w C:\Users\Beth\AppData\Roaming\Webroot
2008-02-14 23:43 --------- d-----w C:\ProgramData\Symantec
2008-02-14 23:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-14 23:39 --------- d-----w C:\Program Files\Symantec
2008-02-14 23:04 84,992 ----a-w C:\Windows\system32\drivers\FWPKCLNT.SYS
2008-02-14 20:48 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-14 20:46 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-14 20:46 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-14 20:46 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-14 20:46 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-14 20:46 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-14 20:46 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-14 20:46 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-14 20:43 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-14 20:43 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-14 20:43 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-14 20:43 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-14 20:43 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-14 20:43 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-14 20:42 806,400 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-14 20:42 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 20:42 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 20:42 217,144 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-14 20:42 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 20:42 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 20:39 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-14 20:10 --------- d-----w C:\ProgramData\LightScribe
2008-02-14 03:22 --------- d-----w C:\Program Files\FrostWire
2008-02-13 18:17 --------- d-----w C:\ProgramData\WildTangent
2008-02-13 10:28 174 --sha-w C:\Program Files\desktop.ini
2008-02-13 10:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-13 10:24 --------- d-----w C:\Program Files\Windows Calendar
2008-02-13 10:15 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-02-13 10:15 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-02-13 10:15 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-02-13 10:15 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-02-13 10:15 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-02-13 10:13 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-02-13 10:13 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-02-13 10:13 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-02-13 10:13 2,923,520 ----a-w C:\Windows\explorer.exe
2008-02-13 10:13 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-02-13 10:13 11,264 ----a-w C:\Windows\system32\drivers\wmiacpi.sys
2008-02-13 10:10 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-02-13 10:10 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-02-13 10:10 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-02-13 10:10 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-13 10:09 73,216 ----a-w C:\Windows\system32\drivers\usbccgp.sys
2008-02-13 10:09 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-02-13 10:09 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-02-13 10:09 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-02-13 10:09 193,536 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-02-13 10:09 19,456 ----a-w C:\Windows\system32\drivers\usbohci.sys
2008-02-13 10:08 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AE26144-E2D5-4389-B327-4CE306BC77D2}]
C:\Windows\system32\vtsts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-14 05:55 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-04 03:57 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 21:36 827392]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 12:38 159744]
"NvSvc"="RUNDLL32.exe" [2006-11-02 03:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 03:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 03:45 44544 C:\Windows\System32\rundll32.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"MSServer"="rundll32.exe" [2006-11-02 03:45 44544 C:\Windows\System32\rundll32.exe]
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-08 18:50 1713496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"147fba20"="rundll32.exe" [2006-11-02 03:45 44544 C:\Windows\System32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kyrdlvxl]
kyrdlvxl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njjazjot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-08-04 05:36 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EC4CB1F7-839A-47B1-92C2-AA35BE42FAAD}"= Profile=Private|C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{F2F7D238-DF77-4079-A556-C08F0586E30B}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{37300804-B9B4-439A-A0CA-9CDEB22AF0BD}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"TCP Query User{16879A00-B9BE-4D90-8E49-91C647E6163F}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{307C3FEB-055E-4CFA-BBF4-D27993D9FB0D}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B2747020-934E-4E22-BAA9-6C96C2CFB1C5}C:\\program files\\abc\\abc.exe"= UDP:C:\program files\abc\abc.exe:abc
"UDP Query User{67863545-1291-4954-9EC1-8EBC1C32CB5F}C:\\program files\\abc\\abc.exe"= TCP:C:\program files\abc\abc.exe:abc
"{CEA658B9-93F3-47D0-ABD3-A6A3128555FE}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{1E73EE83-BC2C-4575-8BD6-AD2F20BCF657}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= Disabled:UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= Disabled:TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= Disabled:UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= Disabled:TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F661976B-6885-4C05-A300-E341FFF1CD27}"= Disabled:C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 pwipf6;Privacyware Filter Driver;C:\Windows\system32\DRIVERS\pwipf6.sys [2007-10-08 18:51]
R2 WDFNet;Webroot Desktop Firewall network service;C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe [2007-10-08 18:50]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 10:44]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 17:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-01-03 09:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fc493e8-d990-11dc-8567-806e6f6e6963}]
\shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfb0175d-d91a-11dc-a103-001a73998301}]
\shell\AutoRun\command - G:\LaunchU3.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 22:43:50 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 17:34:50
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wbem\WmiApSrv.exe
.
**************************************************************************
.
Completion time: 2008-03-21 17:38:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 23:38:30
.
2008-03-21 05:22:34 --- E O F ---


HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:04 PM, on 21/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AE26144-E2D5-4389-B327-4CE306BC77D2} - C:\Windows\system32\vtsts.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\efcca.dll,#1
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [147fba20] "rundll32.exe" "C:\Windows\system32\dwyicktb.dll",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O20 - Winlogon Notify: kyrdlvxl - kyrdlvxl.dll (file missing)
O20 - Winlogon Notify: njjazjot - C:\Windows\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7391 bytes

[ktreffin]

Hi gliese,

Looks like combo took out a lot, but we still have more to deal with.

STEP #1 Remove malware lines using Hijack This

Please start HiJackThis as you did to generate a log, but this time click on "Do A System Scan Only".
Place a checkmark in the boxes to the left of the following entries by clicking on them:

O2 - BHO: (no name) - {1AE26144-E2D5-4389-B327-4CE306BC77D2} - C:\Windows\system32\vtsts.dll (file missing)
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\efcca.dll,#1
O4 - HKLM\..\Run: [147fba20] "rundll32.exe" "C:\Windows\system32\dwyicktb.dll",b
O20 - Winlogon Notify: kyrdlvxl - kyrdlvxl.dll (file missing)
O20 - Winlogon Notify: njjazjot - C:\Windows\


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HIJACKTHIS and click on "Fix Checked".

Once complete, please exit HiJackThis.

*===============================================*

Step #2: Run CFScript
Close any open browsers and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open Notepad and copy/paste the text in the box into the window:

Code: Select all

File::
C:\Windows\system32\vtsts.dll 
C:\Windows\system32\efcca.dll
C:\Windows\system32\dwyicktb.dll
C:\Windows\system32\kyrdlvxl.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

*===============================================*

Step #3: Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

*===============================================*

STEP #4 Things to put in your next reply

Please post the following in your next reply:

• A New Hijack This Log
• Contents of the Malwarebytes' Anti-Malware Log

Thanks,
Ken

[gliese]

Done, and done:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:48 PM, on 22/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6946 bytes


Malwarebytes' Anti-Malware 1.09
Database version: 521

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125212
Time elapsed: 20 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Beth\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.

[ktreffin]

Hi gliese,

I am reviewing your new Hijack This and Malwarebytes' log. In the mean time how is your system running? What kind of problems are you still experiencing? I am at work tonight, but should have a new post for you tomorrow sometime.

Thanks,
Ken

[gliese]

All of the symptoms I was experiencing (pictures being replaced by 'Your computer is at risk!' images; pop-ups) are gone, though they were sporadic even at the worst times. A significant improvement! Thank you!

[ktreffin]

Congratulations gliese, Your Log appears to be clean!

How is your system running? Are you still having problems? Please let me know if any problems still exist before moving on.

Now that you are clean, I got some tips & tricks for you to keep your computer clean and secure. The first few (like removing dangerous tools and Windows Update) have to be done, the others are option (beginning with Spybot S &D).

It may seem like your system will be too much protected with all these things installed, but a lot of programs aren't running always on the background so don't slow down your computer. Please take a look at the following things:

Remove dangerous tools - Because some tools we used can be dangerous if they're used in the wrong way we have to remove some of them. Please remove the following tools:
VundoFix
Uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK.
• Note the space between the X and the U, it needs to be there.
• 

You can also delete any logs we have produced, and empty your Recycle bin.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound/outbound not sure). Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most used:
Comodo
Kerio
ZoneAlarm

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Tutorail for Spybot S & D

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can download it here:
SpywareBlaster

Install WinPatrol - As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website:
WinPatrol
The developer is a well-known man in the MalWare Removal business. If you really like WinPatrol think about upgrading to the PLUS version. It will give you additional features and you will only have to pay once, for your whole malware-free life.

Install MVPS HOSTS - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial here:
WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Use an alternative Internet Browser - Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
Firefox << Most used, I use this one myself.
Opera

Bookmark general cleanup links - It could be that your computer is becoming slower and slower. This is not always the cause of malware. Most of the times it's malware when you're computer is suddenly getting slow or doing strange. When the slowdown increases slowly check (so now bookmark) these links for tips & tricks:
Help! My computer is slow
Slow Computer? Check here first; it may not be malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.[/list]
Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints called Malware Complaints. Please register there first! Then follow the instructions here:
<link>

>> Here << you can see how you can help us.

Have a happy computing day!!

Ken

[gliese]

MARVELOUS, thank you!

[ktreffin]

My pleasure! Glad I could be of help. Please let us know if we can assist you again in the future.

Ken

I will have this thread archived.

[Elrond]

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.