PDA

View Full Version : Need supreme help with virtumonde


TheOnlyBigDog
2007-11-29, 15:44
I read several of the posts and used the fixes that were posted for removal. ie. sdfix, combofix, vundofix. It all seemed to be great until the next reboot. When it came back.... it brought with it a new virtumonde.dcc and a bunch of spyware/adware/hacktools. Below is the report from the last S&D scan:

--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Virtumonde: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1343024091-1123561945-839522115-1003\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1343024091-1123561945-839522115-1003\Software\Microsoft\aldd

Virtumonde.ddc: Executable (File, nothing done)
C:\WINDOWS\system32\mscghmhk.exe

Virtumonde.ddc: Executable (File, nothing done)
C:\WINDOWS\system32\oovuhxhw.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-10-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-28 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-28 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-28 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-28 Includes\KeyloggersC.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-28 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-28 Includes\PUPSC.sbi (*)
2007-11-28 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-28 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-28 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-28 Includes\Trojans.sbi (*)
2007-11-28 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: High Definition Audio Driver Package - KB888111
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911164)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Update for Windows XP (KB925720)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Security Update for Windows XP (KB937143)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB939653)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
ken545
2007-11-30, 03:04
Hello TheOnlyBigDog

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe



This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe



Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
TheOnlyBigDog
2007-12-01, 04:06
please help.... i've tried everything in several posts to remove this bad boy but to no avail. the last thing I tried was d/l kaspersky, but everytime I try it says I need an internet connection and I am constantly online. Please help. thanks, the BigDog
ken545
2007-12-01, 12:00
TheOnlyBigDog

Reply to this thread only by using the Submit Reply and do not start a New Topic.

Follow the instructions that I posted please.

Ken :)
TheOnlyBigDog
2007-12-02, 03:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:50 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ndt2.sys
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\Indt2.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [7c6a15e3] rundll32.exe "C:\WINDOWS\system32\xubyhnpn.dll",b
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2e418709cb2e4b059d87d5fc7c556b13
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2e418709cb2e4b059d87d5fc7c556b13
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf2a6e3650t.jpg
O24 - Desktop Component 1: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf29ab9953t.jpg
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_images/maxmotorshow/4672068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exoticmotorcars/7LA02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34e9c0f67.jpg
O24 - Desktop Component 2: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b365dc52e4.jpg
O24 - Desktop Component 3: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33dc14c86.jpg
O24 - Desktop Component 4: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36abce3ad.jpg
O24 - Desktop Component 5: (no name) - http://www.lamborghiniclub.com/mur6403.jpg
O24 - Desktop Component 6: (no name) - http://img.gactv.com/GAC/2006/05/16/rebamcentire8_v_p.jpg
O24 - Desktop Component 7: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34a8ebc4c.jpg
O24 - Desktop Component 8: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b364329884.jpg
O24 - Desktop Component 9: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b3010da06d.jpg

--
End of file - 13423 bytes
ken545
2007-12-02, 05:41
Hello,

Glad that we finally hooked up. Everything we ask you to do is for a reason, the thieves that have written Vundo have written it to evade a HJT scan and by renaming it to something else, if Vundo is present on your system it will then show up on your log. You have not done that per my instructions. You have one marker on your log for Vundo but I am sure there are more.

You have more serious issues on this system besides Vundo.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.


Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) and save it to your desktop

* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**


Post the AWF log and rename Hijackthis.
TheOnlyBigDog
2007-12-02, 06:23
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 12/01/2007
The current time is: 21:19:45.81


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 12:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

09/27/2007 10:49 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 04:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/22/2007 06:30 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

04/22/2003 02:05 PM 94,208 CTDetect.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 12:00 AM 45,056 CTDVDDET.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

07/02/2003 09:03 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of D:\PROGRA~1\321STU~1\PLATINUM\BAK

10/28/2003 01:31 PM 0 makedir
1 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\Updreg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
111840 Oct 16 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Sep 27 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58488 Aug 13 2004 "C:\unzipped\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
58488 Aug 13 2004 "C:\Documents and Settings\BURNING ADDICTION\A BURNING ADDICTION\new documents\BRIAN\jayson\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
180269 Sep 22 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
102400 Dec 2 2004 "D:\PROGRAMS 2\Creative\MediaSource\Detector\CTDetect.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\bak\makedir"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\tdf\makedir.dir"


end of report
ken545
2007-12-02, 06:36
Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:


C:\WINDOWS\bak\UpdReg.EXE
C:\Program Files\SymNetDrv\bak\SNDMon.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe
D:\PROGRAMS 2\321Studios\Platinum\bak\makedir

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.


Take your time, been a long day, be back in the AM,

Ken:)
TheOnlyBigDog
2007-12-02, 06:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:15 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F63F801-8D5B-4CBB-ADF7-65108E8A976E} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\rqrqqqo.dll
O2 - BHO: {f0cb7835-fbbe-c8eb-b734-a358c0d80ef1} - {1fe08d0c-853a-437b-be8c-ebbf5387bc0f} - C:\WINDOWS\system32\cwycipsn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B508EC3-EDAD-418C-8A17-DF7622C0D854} - \
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [7c6a15e3] rundll32.exe "C:\WINDOWS\system32\xubyhnpn.dll",b
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2e418709cb2e4b059d87d5fc7c556b13
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2e418709cb2e4b059d87d5fc7c556b13
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: rqrqqqo - C:\WINDOWS\SYSTEM32\rqrqqqo.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf2a6e3650t.jpg
O24 - Desktop Component 1: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf29ab9953t.jpg
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_images/maxmotorshow/4672068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exoticmotorcars/7LA02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34e9c0f67.jpg
O24 - Desktop Component 2: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b365dc52e4.jpg
O24 - Desktop Component 3: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33dc14c86.jpg
O24 - Desktop Component 4: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36abce3ad.jpg
O24 - Desktop Component 5: (no name) - http://www.lamborghiniclub.com/mur6403.jpg
O24 - Desktop Component 6: (no name) - http://img.gactv.com/GAC/2006/05/16/rebamcentire8_v_p.jpg
O24 - Desktop Component 7: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34a8ebc4c.jpg
O24 - Desktop Component 8: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b364329884.jpg
O24 - Desktop Component 9: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b3010da06d.jpg

--
End of file - 15092 bytes
ken545
2007-12-02, 06:46
You do have a bunch of Vundo entries, we will tackle that after we finish up with the AWF program. You also have a backdoor trojan along with a couple of other nasties. Outside of posting here I would recommend staying off the internet until we give you the all clear.
TheOnlyBigDog
2007-12-02, 06:46
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sat 12/01/2007
The current time is: 21:44:07.87


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 12:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

09/27/2007 10:49 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 04:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/22/2007 06:30 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

04/22/2003 02:05 PM 94,208 CTDetect.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 12:00 AM 45,056 CTDVDDET.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

07/02/2003 09:03 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of D:\PROGRA~1\321STU~1\PLATINUM\BAK

10/28/2003 01:31 PM 0 makedir
1 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
111840 Oct 16 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Sep 27 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58488 Aug 13 2004 "C:\unzipped\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
58488 Aug 13 2004 "C:\Documents and Settings\BURNING ADDICTION\A BURNING ADDICTION\new documents\BRIAN\jayson\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
180269 Sep 22 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
102400 Dec 2 2004 "D:\PROGRAMS 2\Creative\MediaSource\Detector\CTDetect.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\bak\makedir"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\tdf\makedir.dir"


end of report








P.S. what time in the A.M., so I can be sure to be on when you get here?
TheOnlyBigDog
2007-12-02, 06:51
thanks... and hit me up with a time so i can just log off and we will hook back up in the A.M.... that is of course if you would choose to do it then.... anytime is good for me
ken545
2007-12-02, 13:06
Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\WINDOWS\bak
C:\Program Files\SymNetDrv\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Creative\MediaSource\Detector\bak
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak
D:\PROGRAMS 2\321Studios\Platinum\bak


* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply
TheOnlyBigDog
2007-12-02, 19:53
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 12/02/2007
The current time is: 10:49:12.75


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
ken545
2007-12-02, 21:26
Great :bigthumb: We are ready to move on.

First let me point out this this program is not malicious but is advertising related so its your call to uninstall it or not.

http://www.superadblocker.com/definition/palstart/
C:\Program Files\Paltalk Messenger


There is going to be a lot to do, you may want to print this out and keep it handy. We are going to run a few scans to start the removal of this garbage, I need to see all the reports, they most likely will not fit in one reply so take 2 or more replies to post them all.


Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.

Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer





We need to make sure all hidden files are showing :

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.



Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {0F63F801-8D5B-4CBB-ADF7-65108E8A976E} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} -

C:\WINDOWS\system32\rqrqqqo.dll
O2 - BHO: {f0cb7835-fbbe-c8eb-b734-a358c0d80ef1} - {1fe08d0c-853a-437b-be8c-ebbf5387bc0f} -

C:\WINDOWS\system32\cwycipsn.dll
O2 - BHO: (no name) - {8B508EC3-EDAD-418C-8A17-DF7622C0D854} - \

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [7c6a15e3] rundll32.exe "C:\WINDOWS\system32\xubyhnpn.dll",b

Remove this only if you have uninstalled Paltalk
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe

O20 - Winlogon Notify: rqrqqqo - C:\WINDOWS\SYSTEM32\rqrqqqo.dll

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

I don't know what these are and I am not clicking on the link to find out
O24 - Desktop Component 0: (no name) - http://images.stage6.com/channel_ima...f2a6e3650t.jpg
O24 - Desktop Component 1: (no name) - http://images.stage6.com/channel_ima...f29ab9953t.jpg
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_ima...20ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_ima...b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_ima...20a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_ima...b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_ima...b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_ima...2068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exotic...02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_ima...b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_ima...b34e9c0f67.jpg
O24 - Desktop Component 2: (no name) - http://images.stage6.com/channel_ima...b365dc52e4.jpg
O24 - Desktop Component 3: (no name) - http://images.stage6.com/channel_ima...b33dc14c86.jpg
O24 - Desktop Component 4: (no name) - http://images.stage6.com/channel_ima...b36abce3ad.jpg
O24 - Desktop Component 5: (no name) - http://www.lamborghiniclub.com/mur6403.jpg
O24 - Desktop Component 6: (no name) - http://img.gactv.com/GAC/2006/05/16/...ntire8_v_p.jpg
O24 - Desktop Component 7: (no name) - http://images.stage6.com/channel_ima...b34a8ebc4c.jpg
O24 - Desktop Component 8: (no name) - http://images.stage6.com/channel_ima...b364329884.jpg
O24 - Desktop Component 9: (no name) - http://images.stage6.com/channel_ima...b3010da06d.jpg


Delete the files in Red
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\cwycipsn.dll




Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.



Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Let me see ....

1. Vundofix log
2. SAS log.
3. Combofix log
3. New HJT log
TheOnlyBigDog
2007-12-02, 21:29
Great What?
ken545
2007-12-02, 21:48
:oops: Hit the reply button to soon, read on.
TheOnlyBigDog
2007-12-02, 23:49
VundoFix V6.6.2

Checking Java version...

Scan started at 1:22:07 PM 12/2/2007

Listing files found while scanning....

C:\windows\system32\paxcqdog.exe

Beginning removal...

Attempting to delete C:\windows\system32\paxcqdog.exe
C:\windows\system32\paxcqdog.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 1:38:06 PM 12/2/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...
TheOnlyBigDog
2007-12-02, 23:50
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2007 at 02:31 PM

Application Version : 3.9.1008

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 00:33:07

Memory items scanned : 400
Memory threats detected : 5
Registry items scanned : 8520
Registry threats detected : 14
File items scanned : 49094
File threats detected : 62

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\RQRQQQO.DLL
C:\WINDOWS\SYSTEM32\RQRQQQO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}
HKCR\CLSID\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}
HKCR\CLSID\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}\InprocServer32
HKCR\CLSID\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rqrqqqo
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071202-133447-544.DLL
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071202-133745-421.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\VTUTS.DLL
C:\WINDOWS\SYSTEM32\VTUTS.DLL
HKLM\Software\Classes\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}
HKCR\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}
HKCR\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}\InprocServer32
HKCR\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\PERFS.EXE
C:\WINDOWS\SYSTEM32\PERFS.EXE
HKLM\System\ControlSet001\Services\perfmons
HKLM\System\ControlSet002\Services\perfmons
HKLM\System\CurrentControlSet\Services\perfmons
C:\WINDOWS\SYSTEM32\NDT.SYS

Rootkit.NDT2
C:\WINDOWS\SYSTEM32\NDT2.SYS
C:\WINDOWS\SYSTEM32\NDT2.SYS
C:\WINDOWS\Prefetch\NDT2.SYS-22AAAB91.pf

Trojan.Downloader-Gen/INDT2
C:\WINDOWS\SYSTEM32\INDT2.SYS
C:\WINDOWS\SYSTEM32\INDT2.SYS
C:\WINDOWS\Prefetch\INDT2.SYS-3A706AA7.pf

Adware.Tracking Cookie
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@atdmt[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adultfriendfinder[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@login.tracking101[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@richmedia.yahoo[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@www.epilot[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adbrite[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@networksolutions.112.2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@crack.serial.cracks[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@hornymatches[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ads.revsci[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tagiq.clickforensics[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ads.auctionads[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@trafficmp[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ads.pointroll[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@revsci[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@videoegg.adbureau[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@cracks[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adinterax[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@realmedia[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@4.adbrite[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@specificclick[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@electronicarts.112.2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tacoda[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@heavycom.122.2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@advertising[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@www.levelclick[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@yadro[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@2o7[3].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adopt.specificclick[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ehg-pcsecurityshield.hitbox[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@hitbox[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tagiq.clickforensics[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt

Adware.Vundo-Variant/Small-A
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071202-133447-337.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001189.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001441.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001444.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001445.DLL
C:\WINDOWS\SYSTEM32\CWYCIPSN.DLL
C:\WINDOWS\SYSTEM32\MTAGJVJB.DLL

Trojan.Downloader-Gen/TaLDrv
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\M8\NSTS2DLL1.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP2\A0000011.EXE

Adware.Vundo/Traff-2
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP11\A0001615.EXE
C:\VUNDOFIX BACKUPS\PAXCQDOG.EXE.BAD

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP2\A0000016.DLL

Trojan.Downloader-Gen/DDC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP4\A0000763.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP4\A0000764.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001194.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001443.EXE
TheOnlyBigDog
2007-12-02, 23:52
ComboFix 07-11-19.4 - BURNING ADDICTION 2007-12-02 14:38:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1561 [GMT -8:00]
Running from: C:\Documents and Settings\BURNING ADDICTION\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 13:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-02 13:42 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\SUPERAntiSpyware.com
2007-12-02 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-02 13:22 <DIR> d-------- C:\VundoFix Backups
2007-12-01 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 16:46 0 --a------ C:\WINDOWS\system32\npnhybux.tmp
2007-12-01 04:20 441,495 --ahs---- C:\WINDOWS\system32\stutv.ini2
2007-12-01 04:20 441,495 --ahs---- C:\WINDOWS\system32\stutv.ini
2007-11-30 20:22 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-30 11:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-30 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-30 11:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-30 10:00 2,654,789 ---hs---- C:\WINDOWS\system32\npnhybux.ini
2007-11-29 19:48 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 15:32 <DIR> d-------- C:\Program Files\Magic Video Studio
2007-11-29 15:32 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Vso
2007-11-29 15:32 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-11-29 15:32 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2007-11-29 15:32 81,920 --a------ C:\Documents and Settings\BURNING ADDICTION\Application Data\ezpinst.exe
2007-11-29 15:32 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-29 15:32 47,360 --a------ C:\Documents and Settings\BURNING ADDICTION\Application Data\pcouffin.sys
2007-11-29 15:22 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2007-11-29 15:22 <DIR> d-------- C:\Program Files\ACD Systems
2007-11-29 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-29 14:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2007-11-29 14:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\ICQ Toolbar
2007-11-29 14:08 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-11-29 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2007-11-29 14:08 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-11-29 14:08 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-11-29 14:08 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-11-29 14:08 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-11-29 14:08 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-11-29 14:08 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-11-29 14:07 <DIR> d-------- C:\Program Files\Windows Media Components
2007-11-29 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLSZMJGIYG
2007-11-28 12:21 2,028,042 ---hs---- C:\WINDOWS\system32\ujcxrjkp.ini
2007-11-27 11:32 <DIR> d-------- C:\garbage
2007-11-27 10:27 <DIR> d-------- C:\Temp
2007-11-27 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 08:24 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-27 08:24 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-27 08:24 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-27 08:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-27 08:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-27 08:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-27 08:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-27 08:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-27 08:24 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-27 01:29 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 22:32 <DIR> d-------- C:\Program Files\Deskshare
2007-11-26 22:10 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Download Manager
2007-11-26 22:10 1,085,520 --a------ C:\PRE4_TB_WWEFGJ.exe
2007-11-26 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-26 21:37 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-11-26 21:37 258,352 --a------ C:\WINDOWS\system32\Unicows.dll
2007-11-25 20:43 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Nero
2007-11-23 16:54 <DIR> d-------- C:\Program Files\InterActual
2007-11-18 14:01 7 --a------ C:\WINDOWS\system32\hoghslots.reg
2007-11-17 01:38 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Sonic
2007-11-17 01:34 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Leadertech
2007-11-17 01:16 <DIR> d-------- C:\Program Files\Aimersoft
2007-11-13 14:21 <DIR> d-------- C:\rec
2007-11-13 10:19 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Nitrogen
2007-11-06 18:11 748,000 --a------ C:\WINDOWS\system32\#store3.rst
2007-11-05 21:26 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-05 19:53 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\JAPANESE DVD
2007-11-05 19:32 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\DOCS
2007-11-05 11:41 <DIR> d-------- C:\Program Files\321Studios
2007-11-05 11:38 <DIR> d-------- C:\Program Files\Cucusoft
2007-11-04 17:12 <DIR> d-------- C:\iSofterOutput
2007-11-04 17:01 <DIR> d-------- C:\Program Files\iSofter
2007-11-04 17:01 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-04 17:01 716,800 --a------ C:\WINDOWS\system32\lameACM.acm
2007-11-04 17:01 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-04 17:01 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-11-04 17:01 16,512 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-11-04 17:01 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-11-03 19:24 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 21:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 20:50 --------- d-----w C:\Program Files\Paltalk Messenger
2007-12-02 20:50 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Paltalk
2007-12-02 18:49 --------- d-----w C:\Program Files\SymNetDrv
2007-12-02 03:47 --------- d-----w C:\Program Files\ICQToolbar
2007-12-01 01:30 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-30 03:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-29 22:56 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Ulead Systems
2007-11-29 22:43 488 ---ha-r C:\2syttodxas.sys
2007-11-29 22:43 --------- d-----w C:\Program Files\Sax & Dottys Show Hoster
2007-11-29 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-29 22:07 --------- d-----w C:\Program Files\Ulead Systems
2007-11-29 22:07 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-11-29 20:35 --------- d-----w C:\Program Files\MP3 WAV Converter
2007-11-29 18:29 --------- d-----w C:\Program Files\Winamp
2007-11-29 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 11:15 --------- d-----w C:\Program Files\The Cleaner
2007-11-29 09:13 --------- d-----w C:\Program Files\BadgeHelp
2007-11-27 17:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 05:53 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\LimeWire
2007-11-27 00:02 --------- d-----w C:\Program Files\Kjpro
2007-11-26 21:18 --------- d-----w C:\Program Files\Sax & Dottys Karaoke Zip Player
2007-11-26 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-26 04:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-11-18 20:50 --------- d-----w C:\Program Files\Access 97 Runtime
2007-11-13 19:16 --------- d-----w C:\Program Files\NetworkActiv AUTAPF 1.0
2007-11-13 19:15 --------- d-----w C:\Program Files\Micro Technology Unlimited
2007-11-07 06:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-06 05:25 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-31 08:00 --------- d-----w C:\Program Files\AtomixMP3
2007-10-31 06:10 --------- d-----w C:\Program Files\BitComet
2007-10-31 02:16 --------- d-----w C:\Program Files\MixUp
2007-10-30 23:28 --------- d-----w C:\Program Files\CDGFix Demo
2007-10-30 19:15 --------- d-----w C:\Program Files\Emission
2007-10-30 18:53 --------- d-----w C:\Program Files\PhotoViz
2007-10-29 05:10 --------- d-----w C:\Program Files\Symantec
2007-10-29 03:18 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-29 02:55 --------- d-----w C:\Program Files\Creative
2007-10-29 02:54 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-10-29 02:54 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-10-29 02:16 --------- d-----w C:\Program Files\Fichiers communs
2007-10-29 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\DigiOn
2007-10-29 01:50 --------- d-----w C:\Program Files\Phonotron 1
2007-10-29 00:39 --------- d-----w C:\Program Files\Karaoke Go Round
2007-10-29 00:39 --------- d-----w C:\Program Files\Karaoke-Go-Round3
2007-10-29 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-29 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-25 04:15 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Roxio
2007-10-24 22:54 --------- d-----w C:\Program Files\Karasoft
2007-10-20 09:29 --------- d-----w C:\Program Files\VirtualDJ
2007-10-20 09:04 --------- d-----w C:\Program Files\Reallusion
2007-10-20 09:04 --------- d-----w C:\Program Files\Common Files\Reallusion
2007-10-20 09:04 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Reallusion
2007-10-20 09:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Reallusion
2007-10-20 08:37 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-19 09:26 --------- d-----w C:\Program Files\OTS
2007-10-19 08:42 --------- d-----w C:\Program Files\CDG Ripper
2007-10-19 08:29 --------- d-----w C:\Program Files\ProCDG
2007-10-19 08:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-19 08:26 249,856 ------w C:\WINDOWS\Setup1.exe
2007-10-18 10:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-16 19:24 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-10-16 19:24 --------- d-----w C:\Program Files\CD+G AutoName
2007-10-16 19:18 --------- d-----w C:\Program Files\Eraser
2007-10-16 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-16 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-16 03:48 --------- d-----w C:\Program Files\Sierra On-Line
2007-10-16 03:38 --------- d-----w C:\Program Files\DIFX
2007-10-15 08:03 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\TERMINAL Studio
2007-10-14 02:48 --------- d-----w C:\Program Files\iWin.com Games
2007-10-13 09:20 77,824 ----a-w C:\WINDOWS\zipexe_r.exe
2007-10-13 09:20 14,807,040 ----a-w C:\VirtualAssistant.exe
2007-10-13 09:20 --------- d-----w C:\Program Files\Virtual Assistant
2007-10-13 09:17 --------- d-----w C:\Program Files\EMBARQ
2007-10-13 09:17 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-13 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-12 18:17 --------- d-----w C:\Program Files\PFConfig
2007-10-11 02:18 --------- d-----w C:\Program Files\Logitech
2007-10-11 00:30 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-10 07:53 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-10 07:51 --------- d-----w C:\Program Files\HellFIRE Screensaver
2007-10-10 03:17 0 ----a-w C:\PROGRAM1.DAT
2007-10-10 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-10 02:16 --------- d-----w C:\Program Files\MSN Messenger
2007-10-10 00:03 21 ----a-w C:\Program Files\Common Files\appop.log
2007-10-09 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-10-09 05:18 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-10-07 07:28 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Ahead
2007-10-06 23:59 --------- d-----w C:\Program Files\Desktop Architect
2007-10-06 23:01 2,846,188 ----a-w C:\WINDOWS\system32\Its Cold Outside.scr
2007-10-06 23:00 2,882,910 ----a-w C:\WINDOWS\system32\Moon Circle1.scr
2007-10-06 22:36 --------- d-----w C:\Program Files\Plus!
2007-10-06 08:21 --------- d-----w C:\Program Files\3D Space Tour
2007-10-06 07:48 --------- d-----w C:\Program Files\Astro Gemini Software
2007-10-06 07:47 --------- d-----w C:\Program Files\3D Formula 1 Screensaver
2007-10-06 06:32 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Astro Gemini Software
2007-10-06 05:46 --------- d-----w C:\Program Files\Fish Aquarium 3D Screensaver
2007-10-06 01:59 640,512 ----a-w C:\WINDOWS\system32\ad2mcmpgdec.dll
2007-10-06 01:59 434,176 ----a-w C:\WINDOWS\system32\ad2mpegin.dll
2007-10-05 23:35 --------- d-----w C:\Program Files\Insaniquarium Deluxe
.

((((((((((((((((((((((((((((( snapshot_2007-11-30_18.04.45.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 18:45:11 8,667,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-02 02:04:49 8,667,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-11-30 18:45:11 188,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-02 02:04:49 188,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-02 21:42:29 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-02 21:42:29 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-02 21:42:29 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-10-11 22:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-07-27 23:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 23:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 04:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 21:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-03 02:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-03 02:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-09 00:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 19:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2006-09-26 00:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-08 22:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
TheOnlyBigDog
2007-12-02, 23:53
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-04-22 14:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 04:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-04-19 11:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 04:00 C:\WINDOWS\system32\rundll32.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-16 10:30]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 09:03]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 17:06]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:32]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-09-29 18:21]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 14:45]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 16:50]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PlexTools Professional.lnk
backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BURNING ADDICTION^Start Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
path=C:\Documents and Settings\BURNING ADDICTION\Start Menu\Programs\Startup\Reality Fusion GameCam SE.lnk
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
C:\WINDOWS\system32\JMRaidSetup.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Gear Help]
2006-07-27 19:39 415744 --a------ C:\Program Files\ASUS\AI Gear\GearHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
2006-11-30 10:23 1419776 --a------ C:\Program Files\ASUS\AI Nap\AiNap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-13 22:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 15:25 94208 --a------ C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-10-31 10:10 478800 --a------ C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECTCD]
C:\Program Files\InterVideo\Disc Master 2.5\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMC]
C:\Program Files\FriendFinder\FriendFinder Messenger 30\imc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMDating]
C:\Program Files\BC Computing\IM-DatingIM-Dating.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 04:44 36864 -r------- C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ks_Install]
C:\Documents and Settings\BURNING ADDICTION\Desktop\Kool_Karaoke_Studio_Downloadable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2006-11-28 16:20 3714048 --a------ C:\Program Files\ASUS\AI Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-10-08 21:18 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\system32\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
2003-06-12 08:47 135168 --a------ C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-07-11 06:51 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-12-18 05:34 868352 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2006-11-29 10:58 90112 --------- C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 --a------ C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2003-12-12 16:50 33792 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 06:59 224248 --a------ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
R3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 21:54:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-01 04:00:13 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - BURNING ADDICTION.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 14:39:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R??o?u?r?c?e?\?D?e?t?e?c?t?o?r?\?C?T?D?e?t?e?c?t?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-02 14:40:36
.
--- E O F ---
TheOnlyBigDog
2007-12-02, 23:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:51 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2e418709cb2e4b059d87d5fc7c556b13
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2e418709cb2e4b059d87d5fc7c556b13
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_images/maxmotorshow/4672068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exoticmotorcars/7LA02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34e9c0f67.jpg

--
End of file - 13444 bytes
ken545
2007-12-03, 00:40
C:\Documents and Settings\BURNING ADDICTION <-- What can you tell me about this???


Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::



File::
C:\WINDOWS\system32\xubyhnpn.dll
C:\WINDOWS\system32\npnhybux.tmp
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\npnhybux.ini

Folder::
C:\VundoFix Backups


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.




Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!




Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future


The rest of your log looks fine:bigthumb: How is your system behaving now???
TheOnlyBigDog
2007-12-03, 00:41
[QUOTE=ken545;141500]C:\Documents and Settings\BURNING ADDICTION <-- What can you tell me about this???


This Is My Business Folder
TheOnlyBigDog
2007-12-03, 00:45
I really cant tell yet! It doest seem to be hijacking anything at the moment.
ken545
2007-12-03, 00:55
Brain,

Run those files through Combofix, update your Java , run CCleaner and post the Combofix log

doginhispen.com This site is what started you on your path to infections.
TheOnlyBigDog
2007-12-03, 01:09
ComboFix 07-11-19.4 - BURNING ADDICTION 2007-12-02 15:51:41.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1523 [GMT -8:00]
Running from: C:\Documents and Settings\BURNING ADDICTION\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BURNING ADDICTION\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 13:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-02 13:42 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\SUPERAntiSpyware.com
2007-12-02 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-01 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 16:46 0 --a------ C:\WINDOWS\system32\npnhybux.tmp
2007-12-01 04:20 441,495 --ahs---- C:\WINDOWS\system32\stutv.ini2
2007-12-01 04:20 441,495 --ahs---- C:\WINDOWS\system32\stutv.ini
2007-11-30 20:22 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-30 11:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-30 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-30 11:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-30 10:00 2,654,789 ---hs---- C:\WINDOWS\system32\npnhybux.ini
2007-11-29 19:48 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 15:32 <DIR> d-------- C:\Program Files\Magic Video Studio
2007-11-29 15:32 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Vso
2007-11-29 15:32 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-11-29 15:32 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2007-11-29 15:32 81,920 --a------ C:\Documents and Settings\BURNING ADDICTION\Application Data\ezpinst.exe
2007-11-29 15:32 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-29 15:32 47,360 --a------ C:\Documents and Settings\BURNING ADDICTION\Application Data\pcouffin.sys
2007-11-29 15:22 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2007-11-29 15:22 <DIR> d-------- C:\Program Files\ACD Systems
2007-11-29 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-29 14:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2007-11-29 14:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\ICQ Toolbar
2007-11-29 14:08 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-11-29 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2007-11-29 14:08 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-11-29 14:08 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-11-29 14:08 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-11-29 14:08 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-11-29 14:08 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-11-29 14:08 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-11-29 14:07 <DIR> d-------- C:\Program Files\Windows Media Components
2007-11-29 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLSZMJGIYG
2007-11-28 12:21 2,028,042 ---hs---- C:\WINDOWS\system32\ujcxrjkp.ini
2007-11-27 11:32 <DIR> d-------- C:\garbage
2007-11-27 10:27 <DIR> d-------- C:\Temp
2007-11-27 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 08:24 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-27 08:24 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-27 08:24 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-27 08:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-27 08:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-27 08:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-27 08:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-27 08:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-27 08:24 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-27 01:29 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 22:32 <DIR> d-------- C:\Program Files\Deskshare
2007-11-26 22:10 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Download Manager
2007-11-26 22:10 1,085,520 --a------ C:\PRE4_TB_WWEFGJ.exe
2007-11-26 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-26 21:37 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-11-26 21:37 258,352 --a------ C:\WINDOWS\system32\Unicows.dll
2007-11-25 20:43 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Nero
2007-11-23 16:54 <DIR> d-------- C:\Program Files\InterActual
2007-11-18 14:01 7 --a------ C:\WINDOWS\system32\hoghslots.reg
2007-11-17 01:38 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Sonic
2007-11-17 01:34 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Leadertech
2007-11-17 01:16 <DIR> d-------- C:\Program Files\Aimersoft
2007-11-13 14:21 <DIR> d-------- C:\rec
2007-11-13 10:19 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Nitrogen
2007-11-06 18:11 748,000 --a------ C:\WINDOWS\system32\#store3.rst
2007-11-05 21:26 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-05 19:53 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\JAPANESE DVD
2007-11-05 19:32 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\DOCS
2007-11-05 11:41 <DIR> d-------- C:\Program Files\321Studios
2007-11-05 11:38 <DIR> d-------- C:\Program Files\Cucusoft
2007-11-04 17:12 <DIR> d-------- C:\iSofterOutput
2007-11-04 17:01 <DIR> d-------- C:\Program Files\iSofter
2007-11-04 17:01 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-04 17:01 716,800 --a------ C:\WINDOWS\system32\lameACM.acm
2007-11-04 17:01 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-04 17:01 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-11-04 17:01 16,512 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-11-04 17:01 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-11-03 19:24 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 22:46 --------- d-----w C:\Program Files\ICQToolbar
2007-12-02 22:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 20:50 --------- d-----w C:\Program Files\Paltalk Messenger
2007-12-02 20:50 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Paltalk
2007-12-02 18:49 --------- d-----w C:\Program Files\SymNetDrv
2007-12-01 01:30 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-30 03:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-29 22:56 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Ulead Systems
2007-11-29 22:43 488 ---ha-r C:\2syttodxas.sys
2007-11-29 22:43 --------- d-----w C:\Program Files\Sax & Dottys Show Hoster
2007-11-29 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-29 22:07 --------- d-----w C:\Program Files\Ulead Systems
2007-11-29 22:07 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-11-29 20:35 --------- d-----w C:\Program Files\MP3 WAV Converter
2007-11-29 18:29 --------- d-----w C:\Program Files\Winamp
2007-11-29 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 11:15 --------- d-----w C:\Program Files\The Cleaner
2007-11-29 09:13 --------- d-----w C:\Program Files\BadgeHelp
2007-11-27 17:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 05:53 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\LimeWire
2007-11-27 00:02 --------- d-----w C:\Program Files\Kjpro
2007-11-26 21:18 --------- d-----w C:\Program Files\Sax & Dottys Karaoke Zip Player
2007-11-26 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-26 04:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-11-18 20:50 --------- d-----w C:\Program Files\Access 97 Runtime
2007-11-13 19:16 --------- d-----w C:\Program Files\NetworkActiv AUTAPF 1.0
2007-11-13 19:15 --------- d-----w C:\Program Files\Micro Technology Unlimited
2007-11-07 06:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-06 05:25 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-31 08:00 --------- d-----w C:\Program Files\AtomixMP3
2007-10-31 06:10 --------- d-----w C:\Program Files\BitComet
2007-10-31 02:16 --------- d-----w C:\Program Files\MixUp
2007-10-30 23:28 --------- d-----w C:\Program Files\CDGFix Demo
2007-10-30 19:15 --------- d-----w C:\Program Files\Emission
2007-10-30 18:53 --------- d-----w C:\Program Files\PhotoViz
2007-10-29 05:10 --------- d-----w C:\Program Files\Symantec
2007-10-29 03:18 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-29 02:55 --------- d-----w C:\Program Files\Creative
2007-10-29 02:54 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-10-29 02:54 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-10-29 02:16 --------- d-----w C:\Program Files\Fichiers communs
2007-10-29 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\DigiOn
2007-10-29 01:50 --------- d-----w C:\Program Files\Phonotron 1
2007-10-29 00:39 --------- d-----w C:\Program Files\Karaoke Go Round
2007-10-29 00:39 --------- d-----w C:\Program Files\Karaoke-Go-Round3
2007-10-29 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-29 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-25 04:15 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Roxio
2007-10-24 22:54 --------- d-----w C:\Program Files\Karasoft
2007-10-20 09:29 --------- d-----w C:\Program Files\VirtualDJ
2007-10-20 09:04 --------- d-----w C:\Program Files\Reallusion
2007-10-20 09:04 --------- d-----w C:\Program Files\Common Files\Reallusion
2007-10-20 09:04 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Reallusion
2007-10-20 09:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Reallusion
2007-10-20 08:37 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-19 09:26 --------- d-----w C:\Program Files\OTS
2007-10-19 08:42 --------- d-----w C:\Program Files\CDG Ripper
2007-10-19 08:29 --------- d-----w C:\Program Files\ProCDG
2007-10-19 08:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-19 08:26 249,856 ------w C:\WINDOWS\Setup1.exe
2007-10-18 10:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-16 19:24 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-10-16 19:24 --------- d-----w C:\Program Files\CD+G AutoName
2007-10-16 19:18 --------- d-----w C:\Program Files\Eraser
2007-10-16 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-16 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-16 03:48 --------- d-----w C:\Program Files\Sierra On-Line
2007-10-16 03:38 --------- d-----w C:\Program Files\DIFX
2007-10-15 08:03 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\TERMINAL Studio
2007-10-14 02:48 --------- d-----w C:\Program Files\iWin.com Games
2007-10-13 09:20 77,824 ----a-w C:\WINDOWS\zipexe_r.exe
2007-10-13 09:20 14,807,040 ----a-w C:\VirtualAssistant.exe
2007-10-13 09:20 --------- d-----w C:\Program Files\Virtual Assistant
2007-10-13 09:17 --------- d-----w C:\Program Files\EMBARQ
2007-10-13 09:17 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-13 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-12 18:17 --------- d-----w C:\Program Files\PFConfig
2007-10-11 02:18 --------- d-----w C:\Program Files\Logitech
2007-10-11 00:30 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-10 07:53 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-10 07:51 --------- d-----w C:\Program Files\HellFIRE Screensaver
2007-10-10 03:17 0 ----a-w C:\PROGRAM1.DAT
2007-10-10 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-10 02:16 --------- d-----w C:\Program Files\MSN Messenger
2007-10-10 00:03 21 ----a-w C:\Program Files\Common Files\appop.log
2007-10-09 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-10-09 05:18 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-10-07 07:28 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Ahead
2007-10-06 23:59 --------- d-----w C:\Program Files\Desktop Architect
2007-10-06 23:01 2,846,188 ----a-w C:\WINDOWS\system32\Its Cold Outside.scr
2007-10-06 23:00 2,882,910 ----a-w C:\WINDOWS\system32\Moon Circle1.scr
2007-10-06 22:36 --------- d-----w C:\Program Files\Plus!
2007-10-06 08:21 --------- d-----w C:\Program Files\3D Space Tour
2007-10-06 07:48 --------- d-----w C:\Program Files\Astro Gemini Software
2007-10-06 07:47 --------- d-----w C:\Program Files\3D Formula 1 Screensaver
2007-10-06 06:32 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Astro Gemini Software
2007-10-06 05:46 --------- d-----w C:\Program Files\Fish Aquarium 3D Screensaver
2007-10-06 01:59 640,512 ----a-w C:\WINDOWS\system32\ad2mcmpgdec.dll
2007-10-06 01:59 434,176 ----a-w C:\WINDOWS\system32\ad2mpegin.dll
2007-10-05 23:35 --------- d-----w C:\Program Files\Insaniquarium Deluxe
.

((((((((((((((((((((((((((((( snapshot_2007-11-30_18.04.45.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 18:45:11 8,667,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-02 02:04:49 8,667,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-11-30 18:45:11 188,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-02 02:04:49 188,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-02 21:42:29 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-02 21:42:29 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-02 21:42:29 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-10-11 22:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-07-27 23:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 23:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 04:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 21:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-03 02:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-03 02:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-09 00:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 19:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2006-09-26 00:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-08 22:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
TheOnlyBigDog
2007-12-03, 01:10
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-04-22 14:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 04:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-04-19 11:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 04:00 C:\WINDOWS\system32\rundll32.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-16 10:30]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 09:03]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 17:06]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:32]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-09-29 18:21]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 14:45]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 16:50]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PlexTools Professional.lnk
backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BURNING ADDICTION^Start Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
path=C:\Documents and Settings\BURNING ADDICTION\Start Menu\Programs\Startup\Reality Fusion GameCam SE.lnk
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
C:\WINDOWS\system32\JMRaidSetup.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Gear Help]
2006-07-27 19:39 415744 --a------ C:\Program Files\ASUS\AI Gear\GearHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
2006-11-30 10:23 1419776 --a------ C:\Program Files\ASUS\AI Nap\AiNap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-13 22:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 15:25 94208 --a------ C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-10-31 10:10 478800 --a------ C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECTCD]
C:\Program Files\InterVideo\Disc Master 2.5\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMC]
C:\Program Files\FriendFinder\FriendFinder Messenger 30\imc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMDating]
C:\Program Files\BC Computing\IM-DatingIM-Dating.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 04:44 36864 -r------- C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ks_Install]
C:\Documents and Settings\BURNING ADDICTION\Desktop\Kool_Karaoke_Studio_Downloadable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2006-11-28 16:20 3714048 --a------ C:\Program Files\ASUS\AI Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-10-08 21:18 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\system32\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
2003-06-12 08:47 135168 --a------ C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-07-11 06:51 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-12-18 05:34 868352 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2006-11-29 10:58 90112 --------- C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 --a------ C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2003-12-12 16:50 33792 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 06:59 224248 --a------ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
R3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 22:54:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-01 04:00:13 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - BURNING ADDICTION.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 15:52:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R??o?u?r?c?e?\?D?e?t?e?c?t?o?r?\?C?T?D?e?t?e?c?t?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-02 15:52:57
C:\ComboFix2.txt ... 2007-12-02 14:40
.
--- E O F ---
TheOnlyBigDog
2007-12-03, 01:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:52 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2e418709cb2e4b059d87d5fc7c556b13
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2e418709cb2e4b059d87d5fc7c556b13
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_images/maxmotorshow/4672068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exoticmotorcars/7LA02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34e9c0f67.jpg

--
End of file - 13507 bytes
TheOnlyBigDog
2007-12-03, 01:16
I have no clue as to what doginhispen.com is.
I have also done everything as requested:
uninstalled jave and re d/l and intalled the new updated 1
posted new log files
ran cc cleaner


But.... seems to still be running slow, plus my the color of my screen seems to be changing constantly.
Also, for some ungodly reason, whatever I have/had seems to have done something to my Nortons
ken545
2007-12-03, 01:41
You may not have done this correctly, these files are part of Vundo and are still present.


Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.


Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



C:\WINDOWS\system32\xubyhnpn.dll
C:\WINDOWS\system32\npnhybux.tmp
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\npnhybux.ini

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


When your screen changes color it could be your monitor or video card causing the problem. Keep in mind that this is called Malware ( malicious ware ) and sometimes even after a system is cleaned it can leave behind some damage. You basically had a trojan that overwrote a bunch of your system files and replaced them with there own infected ones.

C:\Program Files\Common Files\Symantec Shared <-- This was one of them, the trojan did fool around with Norton, what I would suggest is to uninstall Norton and do a clean reinstall of Norton.


Let me see the OtMoveIt log please
TheOnlyBigDog
2007-12-03, 01:49
File/Folder C:\WINDOWS\system32\xubyhnpn.dll not found.
C:\WINDOWS\system32\npnhybux.tmp moved successfully.
C:\WINDOWS\system32\stutv.ini2 moved successfully.
C:\WINDOWS\system32\stutv.ini moved successfully.
C:\WINDOWS\system32\npnhybux.ini moved successfully.

Created on 12/02/2007 16:48:31
TheOnlyBigDog
2007-12-03, 01:51
Should I just get rid of nortons all-together and keep just the SUPERantispyware program.... since nortons couldn't detect all that SAS did?
ken545
2007-12-03, 01:57
Brian,

Norton is a Anti Virus program, SAS is a Anti Spyware Program, two different things. If you want to get rid of Norton, thats totally up to you, if you need them I can provide links to free Anti Virus programs.
TheOnlyBigDog
2007-12-03, 02:04
ok... with that I will just uninstall and reinstall
ken545
2007-12-03, 02:18
Let me see the OtMoveIt log, it will show if those bad files are gone or still present.

You can try this also.

Depending on how your manufacturer set up your system, you may or may not need the Windows XP CD. If you have a I386 folder on your C:\ drive you may not need the disk.

Click Start>Run
Type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things.
TheOnlyBigDog
2007-12-03, 02:28
I can't find that on my c:\drive, so i tried the xp disc and it keeps telling me it's the wrong disc, even though XP only comes with 1 disc
TheOnlyBigDog
2007-12-03, 02:30
File/Folder C:\WINDOWS\system32\xubyhnpn.dll not found.
C:\WINDOWS\system32\npnhybux.tmp moved successfully.
C:\WINDOWS\system32\stutv.ini2 moved successfully.
C:\WINDOWS\system32\stutv.ini moved successfully.
C:\WINDOWS\system32\npnhybux.ini moved successfully.

Created on 12/02/2007 16:48:31
ken545
2007-12-03, 02:47
You posted it already, thanks.

Your HJT log is now clean :bigthumb:

What you have now maybe windows or hardware related so I am providing links to free programs to install and links on tips to keeping you secure.


PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here. You can also post in there forum for windows and hardware issues

It's Not Always Malware

Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)

Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)

Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)

Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.


Glad we could help

Safe Surfn
Ken
TheOnlyBigDog
2007-12-03, 06:09
Well, I was just about to say thanks when I reinstalled nortons and checked out all the sites for programs that you listed, when....
I ran SAS again and below is the LOG that was produced:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2007 at 08:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 01:30:05

Memory items scanned : 440
Memory threats detected : 0
Registry items scanned : 8543
Registry threats detected : 0
File items scanned : 48994
File threats detected : 21

Adware.Tracking Cookie
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@atdmt[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@mediaplex[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ad.yieldmanager[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@revsci[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@zedo[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adinterax[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@specificclick[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@linksynergy[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@doubleclick[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tacoda[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@2o7[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tribalfusion[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adopt.specificclick[1].txt

Adware.Vundo-Variant/Small
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0001633.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0001634.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0001642.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0001638.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0001639.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0001640.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0001643.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP12\A0002642.DLL
ken545
2007-12-03, 11:45
All SAS found where cookies and bad entries in your System Restore program, there are instructions for flushing it all out in my last post, it was part of the cleanup procedure.

BUT, I would hold off a few days until your sure your system is stabile, those bad files in this program cant hurt you unless you use it to restore your system and then they might restore those files.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
tashi
2007-12-17, 21:02
TheOnlyBigDog, how is it going?
TheOnlyBigDog
2007-12-18, 06:41
Tashi,
Thank you for asking!
Ken545 did a fabulous job in helping clean up my system, and since we have completed that grueling task, all has been great. I bought all the recommended programs and run them on a regular basis to make sure smitfraud and virtumonde never appear again on my system.

P.S. Keep up the good work... All The Security Experts at S@D are "ANGELS"