PDA

View Full Version : Please Help! MANY malwares/trojans/ etc!



taichi
2008-04-06, 22:11
First, I want to apologize in advance for the length of my post. I am really distraught and want to see if I can get help, from the forum tech people. If I am posting this in the wrong column or topic, please just point me in the right direction and I will post it there. THANKS IN ADVANCE FOR ANY HELP!!

I am listing all the things I found, did, and sequence of events, if that might possibly help someone give me assistance. I am so upset because I have never had any virus/trojan/malware problems (as far back Win95, Win98, Win200, WinXP – sounds like I’m 100, but not). Anyway, NEVER a problem! I always used McAfee, kept it up to date every day, didn’t download from strangers, don’t open email from unknowns, always scan, yadda yadda. About 3 years ago, I was concerned about spyware, so even installed Spybot and LavaSoft's Adaware and ran them on about a monthly basis. Only found a bit of tracking junk here and there.

Now, I'm on a 7 mo-old new out of box HP laptop running Windows Vista 32 home ed, and never had problems with it either, although I switched to Norton 360 for AV, because it seemed like a good price (and trial version came preloaded). I keep it running all the time the computer is on and it is automatically updated every day. Norton never told me there was any problem at all. I also have Windows updates automatically every day – emergency/critical/ you name it, I get it.

Then on Wednesday, 4/2/08 in the evening, I was on the web doing research for some cosmetic (personal) surgery I am considering, (and I don’t want to post what it is here), but all of a sudden I started getting PORN SITES come up, when I was NOT clicking on going to them!! There was stuff popping up all over and I was hitting the X (exit) and trying to go back page STOP Loading, (even tried to close the tabs!). I usually try to remember to run Mozilla's Firefox and didn't, unfortunately I was on IE. :-(
But I had to finally CAD and restart because I could not get the pages to close! They HUNG on to my computer!

But, when Windows came back, all of a sudden, I started receiving strange popups:

** A couple appeared as though they were Windows Security alerts - a RED border and "Security System Warning" c:\windows\wml.exe Abebot - click here to visit PC-Antispyware web site."
(lots of other words, but I had a feeling it was NOT really windows, or Norton. So, I just closed it and ran a full NORTON scan and it said I had "Trojan.Vunda" - and had to fix it manually. However, the Norton will NOT FIX it (I even logged on as administrator) and it would not fix the vundo item.

As I got to Norton’s web site to look up what to do – next strange thing:
** I noticed I had a "new" toolbar with 3 or 4 new little buttons. That was not right! So, I viewed toolbars and it showed a "stfngdvw" toolbar. Had no idea what that was so I unchecked it and the buttons went away, but it is still listed there. I couldn’t find info on Norton’s site, except for web chat/email with them, but then the next strange thing happened:

** Started getting a popup that shows: "Possible spyware infection detected - Threat Name TrojanDownloader.xs"

** Next even stranger things began to happen: my formally smooth-running, predictable laptop was acting nuts - I would lose the desktop-- lose everything! Icons, status bar, systray, MOUSE, touch pad. Also, I couldn't open programs, couldn't even shut down!
Had to do HARD crash shutdowns, just to turn it off, several times.

I ran Windows Defender and it found 3 items:
** SideStep (the travel finder side bar, which I rarely use)
** Atomic Clock Sync (from Software Bundler--have had for about 3 years on diff machines and never a problem), and one called
** "ADWARE.WIN32/VAPSUP" The ADWARE ...VAPSUP showed as C:\windows\svpekgonwdn.dll and also as c:\windows\dwltqnmx.exe
So, I indicated for windows to remove all, because I didn’t care. And, the result was that all were removed.

Since I work all day and this is my home personal computer, I have only been able to work on trying to fix this Thursday and Friday nights, and I spent over 15 hours yesterday and all morning today just trying to fix things.

My problems have not stopped, so I did some researching on web and downloaded newest Spybot and ran it and it said the items were fixed - don't even think they were the same items, but I did not make a note of them. BTW, had tried to run Spybot and Lavasoft when I first got Vista and Vista would not let them work.

Again, the computer problems did not stop. NEXT, I called Norton 360 because I had just paid $79 for the full 360 service which includes “a year of online/chat support.” And, guess what? AFTER 1 hour on the phone with the tech--they wanted to
"escalate my problem" to a phone call with one of their removal experts and charge me $99! It did not matter that I had copies of their web site that shows they DEFEND AGAINST and PROVIDE SUPPORT for
spyware/adware/malware/virus/trojan. I am definitely going back to McAfee. (sorry for the rant about Norton, I am sure some people like it, but I am not happy with them right now)

I researched what else I could do. And, this was not easy because no matter whether I
used Firefox or IE, I kept getting complete computer freezes and/or the mean "warning" garbage popups all over the desktop. I was afraid to even go to "tech support" places online because I thought somehow things might get worse and didn’t know who to trust.

I was able to locate another file called "penytybw.exe" which was listed as "c:\Program Data\xgnifkjw\penytybw.exe." It was dated at the same time as when I first had the web site latching on to me and not letting go (4/2/08 pm). So, I disabled it from starting up.
I found instructions somewhere and logged on again as administrator and found this:

(user name)>DesktopVirii> (that was the ACTUAL NAME OF THE FOLDER!)
Within that folder were 5 items - all started out with:
Trojan-Downloader.Win32.Agent. (and then each one had a different extension and exe.)
Agent.bl.exe
Agent.p.exe
Agent.r.exe
Agent.t.exe
Agent.v.exe
I deleted the folder and all of them - they all had the date and time when I first started having problems.

Then I searched and deleted EVERYTHING that had the same date/time as those – there were 8 of these files:
DesktopEditor FKWP1.5.exe
DesktopEditorFKWP2.0.exe
Desktopfilemanagerclient.exe
Desktopfkwp1.5.exe
Desktopfkwp2.0.exe
Desktopfwebd.exe
DesktopFWebEditor.exe
DesktopTrojan.Win32.BlackBird.exe

I restarted and seemed like things were coming along, but THEN, I STILL started getting the popups. Oh - and I forgot to say before, but I *DID* disable the system restore before starting all this.

When I searched more on my computer – by DATE, I found 56 (FIFTY SIX!) files with the exactsame date and time as those before: They were all in c:\windows. They were just all strange names and I am actually too worn out to write them down, so i just left them.

I found one of the 56 files titled "rs.txt" - so I copied it to desktop, scanned with Norton (I don't know why, though!) and renamed it trash.doc and opened it. After the first 3 lines that showed:

redirect-settings
version:4
SAVE-dt:1075828488
Then, there were 648 lines of domain names with pornographi addresses!!)
Domain:(porn name.com)
(Ditto...648 different lines of different bad web sites!)

I have to say I feel helpless. I have no idea how to fix this and am feeling that I probably will have to just trash my laptop. Since I sort of trusted Spybot, I am here and found the post about hijack this. I went to the trend micro site. I figured at this point - what the heck is ONE MORE infection or trojen or whatever! Hijack this log follows. Again, I am so sorry for the LONG post/rant. If there is anyone that could possibly help me I would be forever grateful – and I sincerely mean that! THANKS FOR ANY HELP!

Here’s the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:28 PM, on 4/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\DllHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {4ACCAF8C-0320-4321-9BE4-7B5B759CC66C} - C:\Windows\system32\wVpPGXnL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: stfngdvw - {505968FB-8A4C-4CAB-8EA1-A8D9C0B91DCA} - C:\Windows\stfngdvw.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\qkbpprnt.dll",b
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: APSHook.dll
O21 - SSODL: fkdnrwsv - {4CD0B89C-F7B0-4D52-9DFB-CB8C4A34CF4B} - C:\Windows\fkdnrwsv.dll
O21 - SSODL: sxfnewqb - {D1F866DA-259A-4349-9609-951FF42D1283} - C:\Windows\sxfnewqb.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
--
End of file - 10348 bytes

Rorschach112
2008-04-06, 22:27
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

taichi
2008-04-06, 23:13
Hi Rorschach,
THANK You for answering so quickly! I forgot to mention in my first post that I cannot seem to get Kaspersky program. From the link provided in Tashi's post:
" run an online scan with Kaspersky Online Scanner. You will be prom..."
this goes to: http://www.kaspersky.com/downloads/kws/kavwebscan.html

But I get a 404 not found each time I try to go there.

I will D/L and run the other two things you described and post back.

THANKS AGAIN!!!

taichi
2008-04-06, 23:54
Hi again,

I downloaded both of the programs you suggested and am posting the text results here. I forgot to turn off word-or text-wrapping, so i manually removed all the blank lines. Thank you for taking the time to help me! I appreciate it a lot! (Oops I just got the message error that the text is too long, so I will have to paste into separate messages.

** ** ** This is from SmitFraudFix ** ** **
SmitFraudFix v2.309
Scan done at 16:18:11.41, Sun 04/06/2008
Run from C:\Users\admin\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
::1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\Windows\stfngdvw.dll deleted.
C:\Windows\fkdnrwsv.dll deleted.
C:\Windows\sxfnewqb.dll deleted.
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A38E6249-9401-47BA-B584-0819D749C62C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A38E6249-9401-47BA-B584-0819D749C62C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A38E6249-9401-47BA-B584-0819D749C62C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End

taichi
2008-04-06, 23:56
(continuation of results)
** ** ** THIS IS FROM DECKARDS MAIN** ** **
Deckard's System Scanner v20071014.68
Run by admin on 2008-04-06 16:31:11
Computer is in Normal Mode.
-------------------------------------------------------------------------------
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as admin.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:04 PM, on 4/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Users\admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {C45912A4-06FC-4CDA-AD59-3A4297D1E4C9} - C:\Windows\system32\wVpPGXnL.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\qkbpprnt.dll",b
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
--
End of file - 9337 bytes-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
S3 LLUSBFLT - c:\windows\system32\drivers\llusbflt.sys <Not Verified; Laplink Software, Inc.; Laplink FileMover>
S3 PLUsbbc2 (High-Speed USB Bridge Cable Driver) - c:\windows\system32\drivers\usbbc2.sys <Not Verified; Prolific Technology Inc.; High Speed USB-USB Bridge Cable Driver>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\hp\quickplay\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 PREVXAgent - "c:\program files\prevx2\pxagent.exe" -f <Not Verified; Prevx; Prevx-2>
R2 Vongo Service - c:\program files\vongo\vongoservice.exe <Not Verified; Starz Entertainment Group LLC; Vongo>
S2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.3) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
S2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\hp\quickplay\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
(((More to come in next message)

taichi
2008-04-06, 23:57
(contin. of deckards main)
-- Scheduled Tasks -------------------------------------------------------------
2008-04-06 16:35:26 414 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{C7F94DEC-1365-4D53-AD72-194502AAB6C1}.job
-- Files created between 2008-03-06 and 2008-04-06 -----------------------------
2008-04-06 16:18:19 4926 --a------ C:\Windows\system32\tmp.reg
2008-04-06 16:17:32 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-06 16:17:32 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 16:17:32 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 16:17:32 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 16:17:32 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 16:17:32 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 16:17:32 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-06 12:57:37 0 d-------- C:\Program Files\Trend Micro
2008-04-06 10:58:31 85056 --a------ C:\Windows\system32\qkbpprnt.dll
2008-04-04 21:04:17 83520 --a------ C:\Windows\system32\ietqbvki.dll
2008-04-04 19:41:13 0 d-------- C:\Program Files\Windows Collaboration
2008-04-04 05:56:01 85056 -----n--- C:\Windows\system32\bbqeflcd.dll
2008-04-03 17:39:16 181597 --ahs---- C:\Windows\system32\LnXGPpVw.ini2
2008-04-03 17:39:11 268288 -----n--- C:\Windows\system32\wVpPGXnL.dll
2008-04-03 13:40:53 8445 --a------ C:\Windows\system32\urqPijKa.dll
2008-04-03 12:40:53 8445 --a------ C:\Windows\system32\fccdBTlj.dll
2008-04-03 11:40:41 8445 --a------ C:\Windows\system32\urqOFWnM.dll
2008-04-03 10:40:40 8445 --a------ C:\Windows\system32\mlJDurol.dll
2008-04-03 09:40:39 8445 --a------ C:\Windows\system32\fccbYPgH.dll
2008-04-03 08:40:39 8449 --a------ C:\Windows\system32\ddcArstR.dll
2008-04-03 08:38:00 94208 --a------ C:\Windows\system32\tizcrsxw.exe
2008-04-02 22:38:50 4096 --a------ C:\Windows\userconfig9x.dll
2008-04-02 22:38:50 4096 --a------ C:\Windows\system32winlogonpc.exe
2008-04-02 22:38:50 4096 --a------ C:\Windows\system32hoproxy.dll
2008-04-02 22:38:50 4096 --a------ C:\Windows\FVProtect.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\winsystem.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32WINWGPX.EXE
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32winsystem.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32vcatchpi.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32vbsys2.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32thun32.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32thun.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32temp#01.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32taack.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32taack.dat
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32sysreq.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ssvchost.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ssvchost.com
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ssurf022.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32sncntr.exe
2008-04-02 22:38:49 0 d-------- C:\Windows\system32smp
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32Rundl1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32regm64.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32regc64.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32psoft1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32psof1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ps1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32newsd32.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32netode.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32mwin32.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32mtr2.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32msvchost.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32mssecu.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32msnbho.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32msgp.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32medup020.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32medup012.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32hxiwlgpm.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32hxiwlgpm.dat
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32h@tkeysh@@k.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32emesx.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32dpcproxy.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32bsva-egihsg52.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32bdn.com
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32awtoolb.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32anticipator.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32akttzn.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\mssecu.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\iTunesMusic.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\bdn.com
2008-04-02 22:38:49 4096 --a------ C:\Windows\a.bat
2008-04-02 22:38:38 0 --a------ C:\Windows\system32\nnnmjgGy.dll
2008-04-02 22:38:34 102400 --a------ C:\Windows\system32\bufizelu.exe
2008-04-02 22:38:34 0 d-------- C:\Users\All Users\xgnifkjw
-- Find3M Report ---------------------------------------------------------------
2008-04-06 16:25:49 0 d-------- C:\Users\admin\AppData\Roaming\Corel
2008-04-06 16:18:19 35 --a------ C:\Users\admin\AppData\Roaming\SetValue.bat
2008-04-06 16:18:19 691 --a------ C:\Users\admin\AppData\Roaming\GetValue.vbs
2008-04-06 16:14:17 12 --a------ C:\Windows\bthservsdp.dat
2008-04-06 12:43:02 0 dr------- C:\Users\admin\AppData\Roaming\Brother
2008-04-06 12:40:27 0 d-------- C:\Users\admin\AppData\Roaming\Macromedia
2008-04-06 12:34:49 0 d-------- C:\Users\admin\AppData\Roaming\Talkback
2008-04-06 12:34:32 0 d-------- C:\Users\admin\AppData\Roaming\Mozilla
2008-04-04 19:50:04 0 d-------- C:\Program Files\ACT
2008-04-04 04:10:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-03 21:07:52 0 d-------- C:\Program Files\SPSS15
2008-04-03 21:01:59 340 --a------ C:\Windows\system32\lsprst7.dll
2008-04-03 18:15:01 0 d-------- C:\Program Files\Norton 360
2008-03-30 15:52:26 0 d-------- C:\Program Files\FirstClass
2008-03-23 13:30:20 0 d-------- C:\Program Files\Windows Mail
2008-03-09 18:03:32 73 --a------ C:\Windows\system32\ssprs.dll
2008-02-26 07:16:11 0 d-------- C:\Program Files\Prevx2
2008-02-23 09:42:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-23 09:40:52 0 d-------- C:\Program Files\Brother
2008-02-22 18:05:02 100 --a------ C:\Windows\system32\bd9420cn.dat
2008-02-22 17:32:46 0 d-------- C:\Program Files\ScanSoft
2008-02-22 17:32:45 0 d-------- C:\Program Files\Common Files
2008-02-12 16:40:59 0 d-------- C:\Program Files\Avery Wizard 3.1
2008-02-11 19:35:35 0 d-------- C:\Program Files\Common Files\Avery
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C45912A4-06FC-4CDA-AD59-3A4297D1E4C9}]
04/03/2008 05:39 PM 268288 --------- C:\Windows\system32\wVpPGXnL.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [10/30/2006 04:18 PM]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [07/19/2006 03:51 PM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 07:12 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/12/2007 11:36 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/14/2007 08:30 AM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 04:43 PM]
"RtHDVCpl"="RtHDVCpl.exe" [03/09/2007 01:50 PM C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [04/23/2007 09:11 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 02:38 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [02/12/2007 10:37 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 04:18 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 02:11 AM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [03/12/2007 02:54 PM]
"CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [12/22/2003 02:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 09:54 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/02/2008 06:07 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [01/02/2008 06:06 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [01/02/2008 06:07 PM]
"75f30f81"="C:\Windows\system32\qkbpprnt.dll" [04/06/2008 10:58 AM]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/14/2006 08:02 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/10/2008 08:02 AM]
"HPADVISOR"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [03/20/2007 06:23 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:36 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=APSHook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg
"Authentication Packages"= msv1_0 C:\Windows\system32\wVpPGXnL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
Cognizance ASBroker ASChannel
GPSvcGroup GPSvc
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-04-06 16:38:47 ----------

taichi
2008-04-06, 23:59
(Deckards extra will have to be broken up, also - too long, sorry)

Results of Deckards extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English
CPU 0: Intel(R) Core(TM)2 Duo CPU T5250 @ 1.50GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 2037.81 MiB / 1045.38 MiB
Pagefile Memory (total/avail): 4292.18 MiB / 3151.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.6 MiB
C: is Fixed (NTFS) - 178.03 GiB total, 139.7 GiB free.
D: is Fixed (NTFS) - 8.28 GiB total, 0 GiB free.
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - TOSHIBA MK2035GSS - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 178.03 GiB - C:
\PARTITION1 - Installable File System - 8.28 GiB - D:
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before install.
Windows Internal Firewall is disabled.
FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: Norton 360 v2007 (Symantec Corporation)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
""=""
"C:\\Program Files\\Vongo\\VongoService.exe"="C:\\Program Files\\Vongo\\VongoService.exe:*:enabled:VongoService"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\admin\AppData\Roaming
CLASSPATH=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=EAA-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\admin
LOCALAPPDATA=C:\Users\admin\AppData\Local
LOGONSERVER=\\EAA-PC
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;c:\Program Files\Bioscrypt\VeriSoft\bin;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\;C:\PROGRA~1\COMMON~1\Odbc\FILEMA~1;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\NeatReceipts\NeatOCR 2.0\;C:\Program Files\Common Files\NeatReceipts\Drivers\M12\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Pavilion
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\admin\AppData\Local\Temp
TMP=C:\Users\admin\AppData\Local\Temp
USERDOMAIN=EAA-PC
USERNAME=admin
USERPART=E:
USERPROFILE=C:\Users\admin
windir=C:\Windows
-- User Profiles ---------------------------------------------------------------
EAA (admin)
admin (admin)
Administrator (new local, admin, net ready)
-- Add/Remove Programs ---------------------------------------------------------
--> "C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"
--> "C:\Program Files\HP Games\Blasterball 3\Uninstall.exe"
--> "C:\Program Files\HP Games\Bookworm Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Bounce Symphony\Uninstall.exe"
--> "C:\Program Files\HP Games\Cake Mania\Uninstall.exe"
--> "C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Crystal Maze\Uninstall.exe"
--> "C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
--> "C:\Program Files\HP Games\Family Feud\Uninstall.exe"
--> "C:\Program Files\HP Games\FATE\Uninstall.exe"
--> "C:\Program Files\HP Games\Final Drive Fury\Uninstall.exe"
--> "C:\Program Files\HP Games\Flip Words\Uninstall.exe"
--> "C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
--> "C:\Program Files\HP Games\Lemonade Tycoon 2\Uninstall.exe"
--> "C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"
--> "C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
--> "C:\Program Files\HP Games\Otto\Uninstall.exe"
--> "C:\Program Files\HP Games\Penguins!\Uninstall.exe"
--> "C:\Program Files\HP Games\Phoenix Assault\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
--> "C:\Program Files\HP Games\Puzzle Express\Uninstall.exe"
--> "C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"
--> "C:\Program Files\HP Games\Snowboard SuperJam\Uninstall.exe"
--> "C:\Program Files\HP Games\SpongeBob SquarePants Krabby Quest\Uninstall.exe"
--> "C:\Program Files\HP Games\Super Granny\Uninstall.exe"
--> "C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
--> "C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"
--> "C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\uninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL1.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2Wire Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3301464-BA26-11D3-8D89-00D0B7218812}\setup.exe" -l0x9 FromAddRemove
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Reader for Pocket PC 2.0 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{291A772C-FFB9-4681-B720-AB2A0A620896}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
AMOS 5 --> MsiExec.exe /I{D396B329-3AE1-4521-BCD8-40FF13760546}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ArcSoft Panorama Maker 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
AuthenTec Fingerprint Sensor Minimum Install --> MsiExec.exe /I{B61B6668-A674-4A06-8405-51944D5CCDDD}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avery Wizard 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{EB7A2041-6A16-4BAC-8079-43B985673C2C}
BCPS CAB Client --> MsiExec.exe /X{F1FC9D21-B054-4FB3-982B-93FE4252C2FB}
BellSouth® Communications Suite --> C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /UninstallStub /Script="BellSouthCommunicationsSuite.sc"
Better Homes and Gardens Home Designer Suite 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A557D4C9-03AA-4806-80A7-227D2C8E4439}\setup.exe" -l0x9 -removeonly
Blue Squirrel ClickBook 9.0 --> "C:\Program Files\Blue Squirrel\ClickBook\unins000.exe"
Board Games --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Cosmi\Board Games\DeIsL1.isu" -c"C:\Program Files\Cosmi\Board Games\_ISREG32.DLL"
Broadcom Advanced Control Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Broadcom ASF Management Applications --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{25D24E84-64A9-40D2-85CF-540B1C4A6D52} /l1033
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Brother Driver Deployment Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0ED38503-B69A-44B4-98BE-21BFF284A9B6}\setup.exe" -l0x9 -uninst -removeonly
Brother MFL-Pro Suite --> "C:\Program Files\InstallShield Installation Information\{51E89658-5D6B-4F0D-B72B-57863C3AD06C}\Setup.exe" -runfromtemp -l0x0009 Brunin03.dll -removeonly
Brother P-touch Editor 4.2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{003447F5-0058-4B77-9C1E-50488F77C4A7}
Business Card Factory Deluxe 3.0 --> MsiExec.exe /X{BF953F1A-F946-4804-875D-94B6A6C05CE1}
Business Contact Manager for Outlook 2003 --> MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Conexant D480 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
CorelDRAW Graphics Suite 12 --> MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
CrossEyes --> C:\PROGRA~1\LEVIT&~1\CROSSE~1\UNWISE.EXE C:\PROGRA~1\LEVIT&~1\CROSSE~1\INSTALL.LOG
Cyber Chess --> C:\WINDOWS\uninst.exe -f"C:\Program Files\COSMI\Cyber Chess\DeIsL1.isu" -c"C:\Program Files\COSMI\Cyber Chess\_ISREG32.DLL"
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell TrueMobile 1300 WLAN Mini-PCI Card --> C:\WINDOWS\system32\BCMWLU00.exe verbose
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX 5.2.1 (Playback Only) --> C:\Program Files\DivX\DivXCodecUninstall.exe
Documents To Go --> MsiExec.exe /X{EB807EB6-5179-48B7-98D4-7B4934A57A81}
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
eListen --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D753FB0C-B42E-11D4-8918-00C04F7902A0}\Setup.exe" -l0x9
ESU for Microsoft Vista --> MsiExec.exe /X{1517A7CB-5F00-4A88-8F06-E89B6DB63784}
EXTRA! for SNA Server 32-bit --> C:\WINDOWS\uninst.exe -f"C:\Program Files\EXTRA!\DeIsL1.isu" -C"C:\Program Files\EXTRA!\uninstnt.dll"
FileMaker Pro 6 --> MsiExec.exe /I{58EDAD68-7839-42D8-A6AD-854A9ECB8224}
FirstClass® Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B35C417-2649-11D6-83D1-0050FC01225C}\setup.exe" -l0x9 -uninst
FirstClass® Palm Conduits --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A541055F-4A9B-11D7-83F0-0050FC01225C}\setup.exe" -l0x9 -uninst -c"C:\Program Files\Palm\Untext.dll"
GanttProject --> "C:\Program Files\GanttProject\uninstall.exe"
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
Genesys USB Mass Storage Device --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4BF87C8-3EEC-4774-82A2-584F109187B1}\Setup.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Greetings Workshop --> C:\Program Files\Greetings Workshop\SETUP\setup.exe
Hewlett-Packard Active Check for Health Check --> MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent for Health Check --> MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLM 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E43D7FC0-7179-11D1-9C88-006097B017D7}\setup.exe" -uninst
HLM6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E43D7FC0-8001-11D1-9D99-006097B017D7}\setup.exe" -uninst
HLM6.0 (Student Edition) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E43D7FC0-7279-11D1-9D99-006097B017D7}\Setup.exe" -uninst
HP Active Support Library --> C:\Program Files\InstallShield Installation Information\{290B83AA-093A-45BF-A917-D1C4A1E8D917}\setup.exe -runfromtemp -l0x0409
HP Active Support Library 32 bit components --> MsiExec.exe /I{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}
HP Customer Experience Enhancements --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Doc Viewer --> MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP Easy Setup - Frontend --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP Help and Support --> MsiExec.exe /I{9061CEF2-51F5-42C9-8A70-9ED351C6597A}
HP Photosmart Essential 2.0 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Quick Launch Buttons 6.20 B1 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 uninst
HP QuickPlay 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall

taichi
2008-04-07, 00:01
(more of extra)
HP Total Care Advisor --> MsiExec.exe /X{F6B29003-A078-4491-AFBE-62EFB6CFFE19}
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guides 0057 --> MsiExec.exe /I{DDFD9BA2-8E26-4E49-92AE-882424DAB1BC}
HP Wireless Assistant --> MsiExec.exe /I{D32067CD-7409-4792-BFA0-1469BCD8F0C8}
HPNetworkAssistant --> MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
Intel Matrix Storage Manager --> C:\Windows\system32\imsmudlg.exe -uninstall
Intel(R) Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPAQ WebReg --> MsiExec.exe /I{D37C6152-89DF-4D29-83CF-666200D5F398}
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{78F4DFCE-1336-4027-BCB2-1A00C24A8653} /l1033
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LISREL 8.7 Student --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1A6FBC0-56C8-11D1-9C50-006097B017D7}\Setup.exe" -uninst
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
McAfee VirusScan Enterprise --> MsiExec.exe /I{59224777-298D-4E9C-9AEB-4A91BDA01B27}
MediaFACE 4.01 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{41979C2F-34B8-4F92-8111-B13C5864682D} /l1033
MediaFACE 4.01 Image Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{82AF77BC-423D-42DA-BE5B-FFCA04752181} /l1033
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft .NET Framework 2.0 --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta 98 Encyclopedia --> RunDll32 C:\PROGRA~1\MI50D7~1\ENCART~1\UNENC98.DLL,Uninstall C:\PROGRA~1\MI50D7~1\ENCART~1\SETUP98\INST98.LOG
Microsoft FrontPage 2000 --> MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (NR2007) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Keyboard --> MsiExec.exe /I{F63E8666-0F10-11D3-8258-00C04F6843FE}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Motorola SM56 Data Fax Modem --> rundll32.exe sm56co6a.dll,SM56UnInstaller
Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSCU for Microsoft Vista --> MsiExec.exe /X{3FFB3B34-D639-4384-9AE9-DDE58430D86F}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
muvee autoProducer 6.0 --> C:\Program Files\InstallShield Installation Information\{0BFC200F-C45D-4271-AF34-4CA969225DEB}\setup.exe -runfromtemp -l0x0009 -removeonly
My HP Games --> "C:\Program Files\HP Games\Uninstall.exe"
Neat OCR15 --> MsiExec.exe /I{226279A7-64EA-4F0F-897C-AC71596FF525}
NeatReceipts Database Controller --> MsiExec.exe /I{F5797F1E-0463-437D-950B-40C7DBA148AB}
NeatReceipts Professional 2.8 Core Files --> MsiExec.exe /I{22BD292E-5DCC-49C2-88E7-99FA2032DA2A}
NeatReceipts Professional v2.8.1 --> C:\Program Files\NeatReceipts Professional\uninstallNR.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NHES 2001-03 ECB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8604F043-E5A6-11D5-9F53-BC2B82F74458}\Setup.exe"
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{40DA9A54-48CA-4A2C-AEAF-F67715BB046E}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_3_0_24\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Palm --> MsiExec.exe /X{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}
Palm Desktop --> MsiExec.exe /X{E89D78B8-28F7-412F-8B26-C684739CBBDC}
Paradox --> MsiExec.exe /I{D6540C25-6E4E-4DB0-B96D-989E257D9E5C}
PCFriendly --> C:\program files\PCFriendly\inuninst.exe
PCmover --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{EF1989B2-F482-49D3-BB19-7C81E3EAAB39}
PCmover --> MsiExec.exe /X{B139381C-6EDA-4FAC-BE08-E6A3DC4210CD}
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
PictureProject In Touch Downloader 1.0 --> C:\Program Files\PictureProject In Touch Downloader\uninst.exe
PIRLS2001 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5029EAE-C27C-11D7-9F53-0080C7595371}\setup.exe"
Pocket Quicken 2.5 for Pocket PC --> "C:\Windows\suinsta4001.exe" C:\Program Files\LandWare\Pocket Quicken 2.5 for Pocket PC\suninstall.dat
Prevx 2.0 Agent --> MsiExec.exe /X{752742F6-0F42-4BC4-965D-CCF3ADB42892}
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Roxio Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9 --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive --> MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3 --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9 --> MsiExec.exe /I{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}
screensaver_100 --> C:\WINDOWS\system32\screensaver_100.scr /u
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 2.0 (KB917283) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {967B098A-042D-4367-BAC9-8BC11684174F} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Microsoft .NET Framework 2.0 (KB922770) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {0E92DD42-76F5-4EF2-B381-F9C1D72BE23D} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564) --> "C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398) --> "C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565) --> "C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734) --> "C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939) --> "C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688) --> "C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589) --> "C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235) --> "C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812) --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281) --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SPSS 13.0 for Windows --> MsiExec.exe /X{DB8CEC42-30B1-4F49-BD06-9393EB81CCF7}
SPSS 15 Vista Hotfix --> MsiExec.exe /X{F5E44A35-B8D2-49BD-9608-E00798903151}
SPSS 15.0 for Windows --> MsiExec.exe /X{15B25E12-3E5F-4C13-A637-9EC72A55491E}

taichi
2008-04-07, 00:03
(last one!)
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
Symantec Technical Support Web Controls --> MsiExec.exe /X{20C53FA2-4307-4671-A93F-9463B29DFCF1}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update for Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727) --> "C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VeriSoft Access Manager --> rundll32.exe "c:\Program Files\Bioscrypt\VeriSoft\Bin\SetupHelper.dll",ExecMain /Uninstall {0ABA40AF-288D-41F1-B735-C5155692CD7D}
Vongo --> MsiExec.exe /X{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Genuine Advantage Notifications (KB905474) -->
Windows Installer 3.1 (KB893803) --> "C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803) --> "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Mobile Device Center --> MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}
Windows Mobile Device Center Driver Update --> MsiExec.exe /X{E7044E25-3038-4A76-9064-344AC038043E}
Windows XP Hotfix - KB873333 --> C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250 --> C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742 --> C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113 --> C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175 --> C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923 --> "C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066 --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086 --> "C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2 --> C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WordPerfect Office X3 --> MsiExec.exe /I{83FBD495-DDF6-4C8D-92D6-10261DD6F6A3}
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
-- Application Event Log -------------------------------------------------------
Event Record #/Type36882 / Error
Event Submitted/Written: 04/06/2008 04:26:01 PM
Event ID/Source: 5004 / McLogEvent
Event Description:
Could not contact Filter Driver.
Error = 0x2 : The system cannot find the file specified.
Event Record #/Type36880 / Success
Event Submitted/Written: 04/06/2008 04:25:58 PM
Event ID/Source: 5617 / WinMgmt
Event Description:
Event Record #/Type36879 / Success
Event Submitted/Written: 04/06/2008 04:25:57 PM
Event ID/Source: 5615 / WinMgmt
Event Description:
Event Record #/Type36876 / Warning
Event Submitted/Written: 04/06/2008 04:25:56 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance NR2007 is not valid.
Event Record #/Type36869 / Warning
Event Submitted/Written: 04/06/2008 04:25:17 PM
Event ID/Source: 4354 / EventSystem
Event Description:
80040210{AE0FD0BA-36CB-4B35-9547-EC96B527D9AC}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}ConnectionMadeNoQOCInfo
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type114251 / Error
Event Submitted/Written: 04/06/2008 04:25:09 PM
Event ID/Source: 23 / Print
Event Description:
Printer PaperPort Color Image failed to initialize because a suitable PaperPort Color Printer Driver driver could not be found. The new printer settings that you specified have not taken effect. Install or reinstall the printer driver. You might need to contact the vendor for an updated driver.
Event Record #/Type114250 / Error
Event Submitted/Written: 04/06/2008 04:25:09 PM
Event ID/Source: 72 / Print
Event Description:
Windows could not initialize printer PaperPort Color Image because the print processor PaperPort Processor could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Event Record #/Type114249 / Error
Event Submitted/Written: 04/06/2008 04:25:09 PM
Event ID/Source: 23 / Print
Event Description:
Printer PaperPort Black & White Image failed to initialize because a suitable PaperPort Mono Printer Driver driver could not be found. The new printer settings that you specified have not taken effect. Install or reinstall the printer driver. You might need to contact the vendor for an updated driver.
Event Record #/Type114248 / Error
Event Submitted/Written: 04/06/2008 04:25:09 PM
Event ID/Source: 72 / Print
Event Description:
Windows could not initialize printer PaperPort Black & White Image because the print processor PaperPort Processor could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
Event Record #/Type114247 / Error
Event Submitted/Written: 04/06/2008 04:25:09 PM
Event ID/Source: 23 / Print
Event Description:
Printer HP DeskJet 722C failed to initialize because a suitable HP DeskJet 722C driver could not be found. The new printer settings that you specified have not taken effect. Install or reinstall the printer driver. You might need to contact the vendor for an updated driver.
-- End of Deckard's System Scanner: finished at 2008-04-06 16:38:47

Rorschach112
2008-04-07, 01:03
Hello

Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------


Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

taichi
2008-04-07, 02:48
Hi Rorschach,

Thanks for the speedy help! I just want to double check something first though. I wanted to make sure you know I have Windows Vista before I use ComboFix. This is because I read in Tashi’s post titled: “Before you post/” – section titled “preliminary notes” :


• “…Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and don't run fixes until asked. ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision. This is especially important if your Operating System is Windows Vista!!

So, is it still okay for me to run ComboFix? If it is, then I will do so.

THANK YOU!
-tai

Rorschach112
2008-04-07, 03:42
Yes it is safe to run it don't worry :)

taichi
2008-04-07, 03:54
THANK YOU! I will do it now. I downloaded it already, and was waiting to hear from you.

taichi
2008-04-07, 04:53
Hi again, Rorschach. I'm sorry to be such a pain, but I cannot get Combo Fix to work. Would you see what happens and maybe have an idea what I should do next?

ComboFix is downloaded on desktop - no name change, all Norton AV and protection off, Windows defender, firewall, etc. are off. Turned off screen saver.
Here's what happens:
little blue box (looks like old command prompt box) opens and shows "Can't find message 0 x 8, wait while Combofix creates one." (words to that effect.
Then grey/white disclaimers about the information andhow it may or may not help, still procede...and answered yes. Next a tiny grey box that opens quickly, tellin gme to wait - preparing to run. Then a popup comes on showing that it is copying the System Registry "hive?" And a progress bar shows that it does that in just a few seconds.

Then that copy box closes, and absolutely nothing happens after that. I have not touched the mouse//touchpad. Also, I checked task mgr to see if
FINDSTR, FIND, SED, or SWREG were listed so I could end them, but they were not there.

C:\Combofix folder IS listed with about 97 files, but there is no "combofix.txt" no txt files.Also under root c drive
C:\
there is no "combofix.txt." file

Do you have any ideas what I could do next?
THANKS!!

Rorschach112
2008-04-07, 15:33
Can you reboot into Safe Mode and try run it from there

Let me know how that goes

taichi
2008-04-08, 03:13
Sorry, but I didnt see your message before now. Thanks - I'll try that.-tc

taichi
2008-04-08, 04:28
Hi Rorschach,
Sorry, I could not get ComboFix to work in safe mode either. Checked all task manager items such as windows defender, etc. to make sure they were not running, and they were not. The little DOS looking box comes up for about 2 seconds, then disappears, nothing runs.

Before I found your reply this evening, I did an advanced search by date that the problems began (4-2-2008) and found so many BAD files actually there were over 85 although maybe a couple were not bad. I researched some of them on network associates, what is this exe, bleeping computer, etc and files are terrible. :-( For example in my c:\windows directory

base64.tmp (found out this was a/k/a Netsky.q)
FVProtect.exe
itunesmusic.exe (an O23 entry)
mssecu.exe (virus along with bdn.com and winsystem.exe (all of which I have)
Rundl1.exe (note, it's NOT 2 L's at end, it's a lowercase L and a 1)
taack.dat (think it was part of Downloader Zblob?)
...... LOTS AND LOTS MORE

I still dont understand why neither Norton nor Windows Defender found any of these.

Is there anything else I can try? The online Kaspersky link didn't work for me, and ComboFix won't run.

This is so totally depressing! Why are people are so mean as to invent these nasty things? Just asking in case your name projects insight into the psyche? ;-)

As always, your help and advice are appreciated.

Rorschach112
2008-04-08, 19:11
They do it for the money :(

Don't worry I will have you clean in no time


Can you delete ComboFix.exe and re-download it from there again as it has been updated to solve the problem you had

Let me know how that goes

taichi
2008-04-09, 00:40
<< They do it for the money :(

Don't worry I will have you clean in no time
Can you delete ComboFix.exe and re-download it from there again as it has been updated to solve the problem you had

Let me know how that goes>>

Hi again,

So, they do this for the $$ ?? So sad.

Thanks so much for trying to help me -- AND for your patience! As you can tell there is no ComboFix log here.

I did following:
--deleted C:\ComboFix folder and the ComboFix.exe from desktop, emptied recycle bin
--re-downloaded CF from your previous post <<Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop>>
--first download was from the geeks to go site
--closed browser
--shut off windows defender and norton
--dbl click combofix.exe to run in "regular" windows mode
Result: the blue DOS box comes up and says a message is missing. Then it sits there and does nothing else.
--waited 10 minutes
--looked for combofix.txt (nothing there, of course -- but hey - maybe some programming miracle would happen)
--deleted the combofix file in C:\ComboFix
--restarted in Safe Mode
--dbl click to run in safe mode

SAFE MODE:
the blue DOS box came up, says message missing, but "created" one
--clicked Yes to agree to popup about license
--clicked Yes to agree probably wont work in x-however many computers
RESULT: With the blue DOS box still open, Combofix began the tiny "extracting" box, then the archiving "hive" registry, then the blue DOS box closed. Oh, and BTW this runs so FAST! But, nothing else happened. Waited 15 minutes -- computer is not even breathing! :(

** Deleted combofix from desktop and C:\Combofix folder, emptied recyle, etc.
** Restarted in regular mode, re-enabled norton & defender
-- Went back to this post and downloaded from the second site (bleeping computer)

Did the exact same steps as with the other Combo just described, and had the exact same results.

I cannot figure out why it won't work for me. I read the illustrated guide from bleeping computer, I followed all your instructions. I never touched the mouse or pad, etc -- even did everything very very slowly and carefully, but to no avail.

Is it possile that because Firefox is my default browser, it won't work? I honestly can't understand why it won't work for me. Or is that just a random thought?

Are there any other programs that I can use to try to remove all the trojans/virii/garbage and produce a log that you can use?

Is this the most annoying case or what?? So sorry it is not working as expected :::deep sigh::::

Thanks in advance for your advice, help, or sympathy! :)
-TC
PS Trying to find a bright spot or hidden value-lesson in this situation--
Maybe I will have to do a complete system restore and reinstall all my programs ---wooohooo!!
(think I must be getting delerious) ;)

Rorschach112
2008-04-09, 01:58
Na this is nothing, you should see one topic I'm on !

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Then reboot and post a new DSS log

taichi
2008-04-09, 03:13
THANKS! I did what you said - d/l and ran vundo fix and new hijackthis.
Hope this is helpful! I'll go reboot and run the dss again and post the log.
-tc

Vundo Fix log of 4-8-08


VundoFix V7.0.3

Scan started at 19:22:53 2008-04-08

Listing files found while scanning....

C:\Windows\System32\LnXGPpVw.ini
C:\Windows\System32\LnXGPpVw.ini2
C:\Windows\System32\wVpPGXnL.dll

Beginning removal...


(Nothing else was there - did it work?)

*************************

New Hijack This Log run after vundo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04, on 2008-04-08
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {6A6AAEAB-6752-407F-AB19-30B486476303} - C:\Windows\system32\wVpPGXnL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\aajfsndd.dll",b
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
--
End of file - 9526 bytes

taichi
2008-04-09, 04:36
The dss took forever to do. For some reason, DSS did not want to work. It ran, but when it got to the end to make the two txt files, it just hung the computer - Notepad stopped responding and I could not get it to stop. Tried task manager several times.
Only the MAIN.txt was open - never the "Extra.txt."

So, when I finally restarted, a notice from Norton opened and said "have to reboot to continue removing Trojan.Vundo.B."
I had just rebooted. I let Norton reboot again, just in case.
This time on restart a popup from Norton showed:
"Norton 360 has encountered an internal problem, want more info?" I clicked No.

I ran DSS two more times and STILL no extra.txt, just the main.txt. I even ended Windows updates and defender and Norton, just in case.
I deleted Deckards program folder from c drive, and ran the DSS exe one more time.
I STILL only have a "main.txt" and not an extra. I will post that main.txt.

** Here are TWO NEW things that I hope is useful:
1. I took a screen shot of what Norton 360 has been doing and saved it as a jpg. If you want, I can upload it somewhere for you to see.
Basically, it shows that it removed these:
Trojan.Vundo 2008-0403 Virus
Trojan.Vundo 2008-04-04 Virus
Trojan.Vundo 2008-04-04 Virus
Tracking Cookie 2008-04-07 Cookie
Trojan.Vundo B 2008-04-08 Virus
Downloader 2008-04-08 Virus

2. I just received a popup from Windows update that's interesting - so I took a screen shot of it, too.
There are 7 (SEVEN!) "important updates" for Windows Vista that came out today (apparently in the past few hours)
I hope I typed all the knowledge base numbers correctly, but if
you want I can upload or send the screen shot, or, of course you already know where to find them on ms site.


Here are the 7:
Cumulative Sec. Update for IE 7 in Windows Vista KB 947864
Security update for Active X Killbits for Windows Vista KB 948881
Security Update for Windows Vista KB 941693
Security Update for Windows Vista KB 945553
Security Update for Windows Vista KB 948590
Update for Windows Vista KB938371
Windows Malicious Software Removal Tool April 2008 KB 890830

Below is the start of the main.txt -- I will put in as few as possible posts, so I'm not overloading the forum.
I have to get some sleep tonight, I am way behind on my first job, second job, sleep, and just in general because of this.

Thanks for helping! Have a good evening (morning).
-tc

Deckard's System Scanner v20071014.68
Run by admin on 2008-04-08 21:06:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as admin.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:06, on 2008-04-08
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Users\admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe
(continued in next post)

taichi
2008-04-09, 04:38
(continuation of main.txt from DSS)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O2 - BHO: (no name) - {E6487AC4-9149-4FC8-81D4-694C3D07D8BB} - C:\Windows\system32\wVpPGXnL.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NeatReceipts Database Controller - Digital Business Processes - C:\Program Files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
--
End of file - 9254 bytes
-- Files created between 2008-03-08 and 2008-04-08 -----------------------------
2008-04-08 19:52:40 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-08 19:22:53 0 d-------- C:\VundoFix Backups
2008-04-07 19:24:04 0 d--h----- C:\Windows\PIF
2008-04-06 22:15:51 0 d-------- C:\Program Files\Windows Journal
2008-04-06 20:56:17 68096 --a------ C:\Windows\zip.exe
2008-04-06 20:56:17 49152 --a------ C:\Windows\VFind.exe
2008-04-06 20:56:17 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 20:56:17 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 20:56:17 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 20:56:17 98816 --a------ C:\Windows\sed.exe
2008-04-06 20:56:17 80412 --a------ C:\Windows\grep.exe
2008-04-06 20:56:17 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-06 16:18:19 4926 --a------ C:\Windows\system32\tmp.reg
2008-04-06 16:17:32 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-06 16:17:32 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 16:17:32 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 16:17:32 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 16:17:32 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 16:17:32 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 16:17:32 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-06 12:57:37 0 d-------- C:\Program Files\Trend Micro
2008-04-04 21:04:17 83520 --a------ C:\Windows\system32\ietqbvki.dll
2008-04-04 05:56:01 85056 -----n--- C:\Windows\system32\bbqeflcd.dll
2008-04-03 17:39:16 254713 --ahs---- C:\Windows\system32\LnXGPpVw.ini2
2008-04-03 17:39:11 268288 -----n--- C:\Windows\system32\wVpPGXnL.dll
2008-04-03 13:40:53 8445 --a------ C:\Windows\system32\urqPijKa.dll
2008-04-03 12:40:53 8445 --a------ C:\Windows\system32\fccdBTlj.dll
2008-04-03 11:40:41 8445 --a------ C:\Windows\system32\urqOFWnM.dll
2008-04-03 10:40:40 8445 --a------ C:\Windows\system32\mlJDurol.dll
2008-04-03 09:40:39 8445 --a------ C:\Windows\system32\fccbYPgH.dll
2008-04-03 08:40:39 8449 --a------ C:\Windows\system32\ddcArstR.dll
2008-04-02 22:38:50 4096 --a------ C:\Windows\userconfig9x.dll
2008-04-02 22:38:50 4096 --a------ C:\Windows\system32winlogonpc.exe
2008-04-02 22:38:50 4096 --a------ C:\Windows\system32hoproxy.dll
2008-04-02 22:38:50 4096 --a------ C:\Windows\FVProtect.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\winsystem.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32WINWGPX.EXE
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32winsystem.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32vcatchpi.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32vbsys2.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32thun32.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32thun.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32temp#01.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32taack.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32taack.dat
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32sysreq.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ssvchost.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ssvchost.com
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ssurf022.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32sncntr.exe
2008-04-02 22:38:49 0 d-------- C:\Windows\system32smp
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32Rundl1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32regm64.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32regc64.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32psoft1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32psof1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32ps1.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32newsd32.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32netode.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32mwin32.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32mtr2.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32msvchost.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32mssecu.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32msnbho.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32msgp.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32medup020.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32medup012.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32hxiwlgpm.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32hxiwlgpm.dat
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32h@tkeysh@@k.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32emesx.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32dpcproxy.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32bsva-egihsg52.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32bdn.com
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32awtoolb.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32anticipator.dll
2008-04-02 22:38:49 4096 --a------ C:\Windows\system32akttzn.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\mssecu.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\iTunesMusic.exe
2008-04-02 22:38:49 4096 --a------ C:\Windows\bdn.com
2008-04-02 22:38:49 4096 --a------ C:\Windows\a.bat
2008-04-02 22:38:34 102400 --a------ C:\Windows\system32\bufizelu.exe
2008-04-02 22:38:34 0 d-------- C:\Users\All Users\xgnifkjw
-- Find3M Report ---------------------------------------------------------------
2008-04-08 20:37:48 12 --a------ C:\Windows\bthservsdp.dat
2008-04-07 23:41:30 0 d-------- C:\Users\admin\AppData\Roaming\Symantec
2008-04-06 22:15:50 0 d-------- C:\Program Files\Microsoft Games
2008-04-06 16:25:49 0 d-------- C:\Users\admin\AppData\Roaming\Corel
2008-04-06 16:18:19 35 --a------ C:\Users\admin\AppData\Roaming\SetValue.bat
2008-04-06 16:18:19 691 --a------ C:\Users\admin\AppData\Roaming\GetValue.vbs
2008-04-06 12:43:02 0 dr------- C:\Users\admin\AppData\Roaming\Brother
2008-04-06 12:40:27 0 d-------- C:\Users\admin\AppData\Roaming\Macromedia
2008-04-06 12:34:49 0 d-------- C:\Users\admin\AppData\Roaming\Talkback
2008-04-06 12:34:32 0 d-------- C:\Users\admin\AppData\Roaming\Mozilla
2008-04-04 19:50:04 0 d-------- C:\Program Files\ACT
2008-04-04 04:10:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-03 21:07:52 0 d-------- C:\Program Files\SPSS15
2008-04-03 21:01:59 340 --a------ C:\Windows\system32\lsprst7.dll
2008-04-03 18:15:01 0 d-------- C:\Program Files\Norton 360
2008-03-30 15:52:26 0 d-------- C:\Program Files\FirstClass
2008-03-23 13:30:20 0 d-------- C:\Program Files\Windows Mail
2008-03-09 18:03:32 73 --a------ C:\Windows\system32\ssprs.dll
2008-02-26 07:16:11 0 d-------- C:\Program Files\Prevx2
2008-02-23 09:42:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-23 09:40:52 0 d-------- C:\Program Files\Brother
2008-02-22 18:05:02 100 --a------ C:\Windows\system32\bd9420cn.dat
2008-02-22 17:32:46 0 d-------- C:\Program Files\ScanSoft
2008-02-22 17:32:45 0 d-------- C:\Program Files\Common Files
2008-02-12 16:40:59 0 d-------- C:\Program Files\Avery Wizard 3.1
2008-02-11 19:35:35 0 d-------- C:\Program Files\Common Files\Avery
(continued in next post)

taichi
2008-04-09, 04:39
(continuation of dss main.txt)
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6487AC4-9149-4FC8-81D4-694C3D07D8BB}]
2008-04-03 17:39 268288 --------- C:\Windows\system32\wVpPGXnL.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-10-30 16:18]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 15:51]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 19:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 23:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-14 08:30]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 16:43]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 13:50 C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 21:11]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 14:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 10:37]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 16:18]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 14:54]
"CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 14:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 18:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 18:07]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-14 08:02]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 08:02]
"HPADVISOR"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 18:23]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg
"Authentication Packages"= msv1_0 C:\Windows\system32\wVpPGXnL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
Cognizance ASBroker ASChannel
GPSvcGroup GPSvc
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-04-08 21:06:29 ------------

Rorschach112
2008-04-09, 15:38
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {6A6AAEAB-6752-407F-AB19-30B486476303} - C:\Windows\system32\wVpPGXnL.dll
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\aajfsndd.dll",b


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\Windows\system32\wVpPGXnL.dll
C:\Windows\system32\aajfsndd.dll
C:\Windows\system32\ietqbvki.dll
C:\Windows\system32\bbqeflcd.dll
C:\Windows\system32\LnXGPpVw.ini2
C:\Windows\system32\wVpPGXnL.dll
C:\Windows\system32\urqPijKa.dll
C:\Windows\system32\fccdBTlj.dll
C:\Windows\system32\urqOFWnM.dll
C:\Windows\system32\mlJDurol.dll
C:\Windows\system32\fccbYPgH.dll
C:\Windows\system32\ddcArstR.dll
C:\Windows\userconfig9x.dll
C:\Windows\system32winlogonpc.exe
C:\Windows\system32hoproxy.dll
C:\Windows\FVProtect.exe
C:\Windows\winsystem.exe
C:\Windows\system32WINWGPX.EXE
C:\Windows\system32winsystem.exe
C:\Windows\system32vcatchpi.dll
C:\Windows\system32vbsys2.dll
C:\Windows\system32thun32.dll
C:\Windows\system32thun.dll
C:\Windows\system32temp#01.exe
C:\Windows\system32taack.exe
C:\Windows\system32taack.dat
C:\Windows\system32sysreq.exe
C:\Windows\system32ssvchost.exe
C:\Windows\system32ssvchost.com
C:\Windows\system32ssurf022.dll
C:\Windows\system32sncntr.exe
C:\Windows\system32Rundl1.exe
C:\Windows\system32regm64.dll
C:\Windows\system32regc64.dll
C:\Windows\system32psoft1.exe
C:\Windows\system32psof1.exe
C:\Windows\system32ps1.exe
C:\Windows\system32newsd32.exe
C:\Windows\system32netode.exe
C:\Windows\system32mwin32.exe
C:\Windows\system32mtr2.exe
C:\Windows\system32msvchost.exe
C:\Windows\system32mssecu.exe
C:\Windows\system32msnbho.dll
C:\Windows\system32msgp.exe
C:\Windows\system32medup020.dll
C:\Windows\system32medup012.dll
C:\Windows\system32hxiwlgpm.exe
C:\Windows\system32hxiwlgpm.dat
C:\Windows\system32h@tkeysh@@k.dll
C:\Windows\system32emesx.dll
C:\Windows\system32dpcproxy.exe
C:\Windows\system32bsva-egihsg52.exe
C:\Windows\system32bdn.com
C:\Windows\system32awtoolb.dll
C:\Windows\system32anticipator.dll
C:\Windows\system32akttzn.exe
C:\Windows\mssecu.exe
C:\Windows\iTunesMusic.exe
C:\Windows\bdn.com
C:\Windows\a.bat
C:\Windows\system32\bufizelu.exe
C:\Windows\system32\lsprst7.dll

Folders to delete:
C:\Users\All Users\xgnifkjw
C:\Windows\system32smp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply

taichi
2008-04-10, 01:35
<<<Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {6A6AAEAB-6752-407F-AB19-30B486476303} - C:\Windows\system32\wVpPGXnL.dll
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\aajfsndd.dll",b

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. >>

Hi Rorschach! Thanks!!!
I have a quick question before I make things worse (if that's possible)!

I did not have that exact O2 BHO (no name)..... with numbers in braces,
but, I did have the one I highlighted below. I did NOT check it or have it fixed.

Should I run HJT again and have that one fixed?
Also, I never found the 04 HKLM thing called "aajfsndd.dll",b
I only copied my log up to the end of 04 listings, to save time/space.

If it's okay to check and have Hijack fix the o2....wVpPGXnl.dll that I do have -- then I'll procede and finish with the avenger.

Thanks!!
-tc


Logfile of Trend Micro H

ijackThis v2.0.2
Scan saved at 18:19, on 2008-04-09
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {8BE26F13-F5BD-4256-A998-CBFBA8721C60} - C:\Windows\system32\wVpPGXnL.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

taichi
2008-04-10, 08:27
Rorschach, I hope this was okay.
1. I went ahead and just ran the Avenger, without running the Hijack this and remove the one item I wasn't sure about. Pasted the script into the Avenger and ran it. Avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\system32\wVpPGXnL.dll" deleted successfully.

Error: file "C:\Windows\system32\aajfsndd.dll" not found!
Deletion of file "C:\Windows\system32\aajfsndd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\ietqbvki.dll" deleted successfully.

Error: file "C:\Windows\system32\bbqeflcd.dll" not found!
Deletion of file "C:\Windows\system32\bbqeflcd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\LnXGPpVw.ini2" deleted successfully.

Error: file "C:\Windows\system32\wVpPGXnL.dll" not found!
Deletion of file "C:\Windows\system32\wVpPGXnL.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\urqPijKa.dll" deleted successfully.
File "C:\Windows\system32\fccdBTlj.dll" deleted successfully.
File "C:\Windows\system32\urqOFWnM.dll" deleted successfully.
File "C:\Windows\system32\mlJDurol.dll" deleted successfully.
File "C:\Windows\system32\fccbYPgH.dll" deleted successfully.
File "C:\Windows\system32\ddcArstR.dll" deleted successfully.
File "C:\Windows\userconfig9x.dll" deleted successfully.
File "C:\Windows\system32winlogonpc.exe" deleted successfully.
File "C:\Windows\system32hoproxy.dll" deleted successfully.
File "C:\Windows\FVProtect.exe" deleted successfully.
File "C:\Windows\winsystem.exe" deleted successfully.
File "C:\Windows\system32WINWGPX.EXE" deleted successfully.
File "C:\Windows\system32winsystem.exe" deleted successfully.
File "C:\Windows\system32vcatchpi.dll" deleted successfully.
File "C:\Windows\system32vbsys2.dll" deleted successfully.
File "C:\Windows\system32thun32.dll" deleted successfully.
File "C:\Windows\system32thun.dll" deleted successfully.
File "C:\Windows\system32temp#01.exe" deleted successfully.
File "C:\Windows\system32taack.exe" deleted successfully.
File "C:\Windows\system32taack.dat" deleted successfully.
File "C:\Windows\system32sysreq.exe" deleted successfully.
File "C:\Windows\system32ssvchost.exe" deleted successfully.
File "C:\Windows\system32ssvchost.com" deleted successfully.
File "C:\Windows\system32ssurf022.dll" deleted successfully.
File "C:\Windows\system32sncntr.exe" deleted successfully.
File "C:\Windows\system32Rundl1.exe" deleted successfully.
File "C:\Windows\system32regm64.dll" deleted successfully.
File "C:\Windows\system32regc64.dll" deleted successfully.
File "C:\Windows\system32psoft1.exe" deleted successfully.
File "C:\Windows\system32psof1.exe" deleted successfully.
File "C:\Windows\system32ps1.exe" deleted successfully.
File "C:\Windows\system32newsd32.exe" deleted successfully.
File "C:\Windows\system32netode.exe" deleted successfully.
File "C:\Windows\system32mwin32.exe" deleted successfully.
File "C:\Windows\system32mtr2.exe" deleted successfully.
File "C:\Windows\system32msvchost.exe" deleted successfully.
File "C:\Windows\system32mssecu.exe" deleted successfully.
File "C:\Windows\system32msnbho.dll" deleted successfully.
File "C:\Windows\system32msgp.exe" deleted successfully.
File "C:\Windows\system32medup020.dll" deleted successfully.
File "C:\Windows\system32medup012.dll" deleted successfully.
File "C:\Windows\system32hxiwlgpm.exe" deleted successfully.
File "C:\Windows\system32hxiwlgpm.dat" deleted successfully.
File "C:\Windows\system32h@tkeysh@@k.dll" deleted successfully.
File "C:\Windows\system32emesx.dll" deleted successfully.
File "C:\Windows\system32dpcproxy.exe" deleted successfully.
File "C:\Windows\system32bsva-egihsg52.exe" deleted successfully.
File "C:\Windows\system32bdn.com" deleted successfully.
File "C:\Windows\system32awtoolb.dll" deleted successfully.
File "C:\Windows\system32anticipator.dll" deleted successfully.
File "C:\Windows\system32akttzn.exe" deleted successfully.
File "C:\Windows\mssecu.exe" deleted successfully.
File "C:\Windows\iTunesMusic.exe" deleted successfully.
File "C:\Windows\bdn.com" deleted successfully.
File "C:\Windows\a.bat" deleted successfully.
File "C:\Windows\system32\bufizelu.exe" deleted successfully.
File "C:\Windows\system32\lsprst7.dll" deleted successfully.

Error: could not open folder "C:\Users\All Users\xgnifkjw"
Deletion of folder "C:\Users\All Users\xgnifkjw" failed!
Status: 0xc0000715

Folder "C:\Windows\system32smp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


2. Then I ran DSS again & here is MAIN.txt (again no Extra txt was produced). Log follows:
Deckard's System Scanner v20071014.68
Run by admin on 2008-04-10 01:14:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as admin.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:02 AM, on 4/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Users\admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe
(continued in next post)

taichi
2008-04-10, 08:29
(continuation of DSS)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\nvrntqkv.dll",b
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
--
End of file - 8318 bytes
-- Files created between 2008-03-10 and 2008-04-10 -----------------------------
2008-04-09 23:41:37 84544 --a------ C:\Windows\system32\nvrntqkv.dll
2008-04-09 23:39:16 3648 --a------ C:\Windows\system32\cvjedahi.dll
2008-04-08 19:52:40 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-08 19:22:53 0 d-------- C:\VundoFix Backups
2008-04-07 19:24:04 0 d--h----- C:\Windows\PIF
2008-04-06 22:15:51 0 d-------- C:\Program Files\Windows Journal
2008-04-06 20:56:17 68096 --a------ C:\Windows\zip.exe
2008-04-06 20:56:17 49152 --a------ C:\Windows\VFind.exe
2008-04-06 20:56:17 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 20:56:17 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 20:56:17 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 20:56:17 98816 --a------ C:\Windows\sed.exe
2008-04-06 20:56:17 80412 --a------ C:\Windows\grep.exe
2008-04-06 20:56:17 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-06 16:18:19 4926 --a------ C:\Windows\system32\tmp.reg
2008-04-06 16:17:32 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-06 16:17:32 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 16:17:32 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 16:17:32 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 16:17:32 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 16:17:32 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 16:17:32 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-06 12:57:37 0 d-------- C:\Program Files\Trend Micro
2008-04-02 22:38:34 0 d-------- C:\Users\All Users\xgnifkjw
-- Find3M Report ---------------------------------------------------------------
2008-04-10 01:00:38 12 --a------ C:\Windows\bthservsdp.dat
2008-04-09 22:42:26 0 d-------- C:\Users\admin\AppData\Roaming\PeerNetworking
2008-04-07 23:41:30 0 d-------- C:\Users\admin\AppData\Roaming\Symantec
2008-04-06 22:15:50 0 d-------- C:\Program Files\Microsoft Games
2008-04-06 16:25:49 0 d-------- C:\Users\admin\AppData\Roaming\Corel
2008-04-06 16:18:19 35 --a------ C:\Users\admin\AppData\Roaming\SetValue.bat
2008-04-06 16:18:19 691 --a------ C:\Users\admin\AppData\Roaming\GetValue.vbs
2008-04-06 12:43:02 0 dr------- C:\Users\admin\AppData\Roaming\Brother
2008-04-06 12:40:27 0 d-------- C:\Users\admin\AppData\Roaming\Macromedia
2008-04-06 12:34:49 0 d-------- C:\Users\admin\AppData\Roaming\Talkback
2008-04-06 12:34:32 0 d-------- C:\Users\admin\AppData\Roaming\Mozilla
2008-04-04 19:50:04 0 d-------- C:\Program Files\ACT
2008-04-04 04:10:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-03 21:07:52 0 d-------- C:\Program Files\SPSS15
2008-04-03 18:15:01 0 d-------- C:\Program Files\Norton 360
2008-03-30 15:52:26 0 d-------- C:\Program Files\FirstClass
2008-03-23 13:30:20 0 d-------- C:\Program Files\Windows Mail
2008-03-09 18:03:32 73 --a------ C:\Windows\system32\ssprs.dll
2008-02-26 07:16:11 0 d-------- C:\Program Files\Prevx2
2008-02-23 09:42:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-23 09:40:52 0 d-------- C:\Program Files\Brother
2008-02-22 18:05:02 100 --a------ C:\Windows\system32\bd9420cn.dat
2008-02-22 17:32:46 0 d-------- C:\Program Files\ScanSoft
2008-02-22 17:32:45 0 d-------- C:\Program Files\Common Files
2008-02-12 16:40:59 0 d-------- C:\Program Files\Avery Wizard 3.1
2008-02-11 19:35:35 0 d-------- C:\Program Files\Common Files\Avery
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [10/30/2006 04:18 PM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 07:12 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/12/2007 11:36 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/14/2007 08:30 AM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 04:43 PM]
"RtHDVCpl"="RtHDVCpl.exe" [03/09/2007 01:50 PM C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [04/23/2007 09:11 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 02:38 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [02/12/2007 10:37 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 04:18 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 02:11 AM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [03/12/2007 02:54 PM]
"CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [12/22/2003 02:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 09:54 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/02/2008 06:07 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [01/02/2008 06:06 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [01/02/2008 06:07 PM]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/14/2006 08:02 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"75f30f81"="C:\Windows\system32\nvrntqkv.dll" [04/09/2008 11:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:36 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg
"Authentication Packages"= msv1_0 C:\Windows\system32\wVpPGXnL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
Cognizance ASBroker ASChannel
GPSvcGroup GPSvc
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-04-10 01:14:29

[B]------------ (next did Hijack this and saw the "file missing" message...sooo. see next reply..

taichi
2008-04-10, 08:32
Last post)

4. So I used Hijack this, system scan only, checked the wVpPGXnL.dll that I had available, and said fix it. New log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:52 AM, on 4/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\nvrntqkv.dll",b
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 8334 bytes


[B]Do you think this helped? I HOPE SO!

THANKS!!!!!!!!!!!!!!!!!!!!

taichi
2008-04-10, 13:50
Good morning!

Two more things:
1. Windows automatic important update for the malicious software removal tool found and removed
Trojan:Win32/Vundo.gen!D
this morning.
There's a huge long list of other malware, but the scan tool popup window shows "Not infected."
If you know where the log is for Windows tool, I could send a copy of that, too.

2, I forgot to mention, but a day or two ago, while running one of the programs or in between - I dont recall --I have no desktop wallpaper now at all - everything is black. I've been in control panel, and there are are no icons or patterns or anything - just blank spaces where little thumbnails of the wallpaper used to be. And, although I can see most icons on my desktop - some are just transparent.

Just thought I'd mention this because I recall deleting that "desktop blackbird.jpg" thing that one of trojans had been looking for.

Thanks in advance for your help,
Have a neat day!
-tc

Rorschach112
2008-04-10, 19:40
Hello

Rename HijackThis.exe to taichi.exe


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\nvrntqkv.dll",b


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Windows\system32\nvrntqkv.dll
C:\Windows\system32\cvjedahi.dll
C:\Users\All Users\xgnifkjw
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00


Then double click on the fix.reg file, when it prompts to merge click "Yes".



Reboot and post a new DSS log

taichi
2008-04-11, 01:02
Hi Rorschach!
Thanks for the details instructions on my next steps! I'll work on it right now and post the items you need.
-tc

taichi
2008-04-11, 01:58
Hello
Rename HijackThis.exe to taichi.exe
Did

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O4 - HKLM\..\Run: [75f30f81] rundll32.exe "C:\Windows\system32\nvrntqkv.dll",b
Did. File not there.

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download the OTMoveIt2 by OldTimer.
• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
[kill explorer]
C:\Windows\system32\nvrntqkv.dll
C:\Windows\system32\cvjedahi.dll
C:\Users\All Users\xgnifkjw
purity
[start explorer]
• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Did. No problems with moving files, not have to reboot.
Backup Your Registry with ERUNT
• Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
• For version with the Installer:
Use the setup program to install ERUNT on your computer
• For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Did. ** Note, although, ERUNT says it is only for Windows 2000, XP, NT, etc., I had no problems running on the Vista.

Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

Then double click on the fix.reg file, when it prompts to merge click "Yes".
Did.

Reboot and post a new DSS log
Ooops! I ran DSS before rebooting.
Then, I rebooted and ran it again. Logs are below for the OT move it and DSS.
Do you think my laptop is getting better?

I owe you so much – you’ve spent so much time trying to help me! I been telling everyone at work about my problems with this Trojan/downloader/malware,etc., and everything you’ve been doing to try to help. Also--how much I’ve learned in the past week. Several of them are following my progress on these forums every night! (must not be anything interesting on TV) ;)
---Thanks! Gracias! Merci! Danke! AGAIN!
-tc
PS Do you ever have nightmares about all the malware/trojans? Just curious. :)

LOG OF OT MOVE IT

Explorer killed successfully
File/Folder C:\Windows\system32\nvrntqkv.dll not found.
DllUnregisterServer procedure not found in C:\Windows\system32\cvjedahi.dll
C:\Windows\system32\cvjedahi.dll NOT unregistered.
C:\Windows\system32\cvjedahi.dll moved successfully.
C:\Users\All Users\xgnifkjw moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04102008_181201

LOG OF DSS after reboot
Deckard's System Scanner v20071014.68
Run by admin on 2008-04-10 18:32:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:56 PM, on 4/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\admin\Desktop\9 DECKARDS STUFF 4-9-08\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
--
End of file - 8395 bytes
-- Files created between 2008-03-10 and 2008-04-10 -----------------------------
2008-04-08 19:52:40 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-08 19:22:53 0 d-------- C:\VundoFix Backups
2008-04-07 19:24:04 0 d--h----- C:\Windows\PIF
2008-04-06 22:15:51 0 d-------- C:\Program Files\Windows Journal
2008-04-06 20:56:17 68096 --a------ C:\Windows\zip.exe
2008-04-06 20:56:17 49152 --a------ C:\Windows\VFind.exe
2008-04-06 20:56:17 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 20:56:17 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 20:56:17 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 20:56:17 98816 --a------ C:\Windows\sed.exe
2008-04-06 20:56:17 80412 --a------ C:\Windows\grep.exe
2008-04-06 20:56:17 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-06 16:18:19 4926 --a------ C:\Windows\system32\tmp.reg
2008-04-06 16:17:32 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-06 16:17:32 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 16:17:32 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 16:17:32 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 16:17:32 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 16:17:32 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 16:17:32 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-06 12:57:37 0 d-------- C:\Program Files\Trend Micro
-- Find3M Report ---------------------------------------------------------------
2008-04-10 18:29:21 12 --a------ C:\Windows\bthservsdp.dat
2008-04-09 22:42:26 0 d-------- C:\Users\admin\AppData\Roaming\PeerNetworking
2008-04-07 23:41:30 0 d-------- C:\Users\admin\AppData\Roaming\Symantec
2008-04-06 22:15:50 0 d-------- C:\Program Files\Microsoft Games
2008-04-06 16:25:49 0 d-------- C:\Users\admin\AppData\Roaming\Corel
2008-04-06 16:18:19 35 --a------ C:\Users\admin\AppData\Roaming\SetValue.bat
2008-04-06 16:18:19 691 --a------ C:\Users\admin\AppData\Roaming\GetValue.vbs
2008-04-06 12:43:02 0 dr------- C:\Users\admin\AppData\Roaming\Brother
2008-04-06 12:40:27 0 d-------- C:\Users\admin\AppData\Roaming\Macromedia
2008-04-06 12:34:49 0 d-------- C:\Users\admin\AppData\Roaming\Talkback
2008-04-06 12:34:32 0 d-------- C:\Users\admin\AppData\Roaming\Mozilla
2008-04-04 19:50:04 0 d-------- C:\Program Files\ACT
2008-04-04 04:10:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-03 21:07:52 0 d-------- C:\Program Files\SPSS15
2008-04-03 18:15:01 0 d-------- C:\Program Files\Norton 360
2008-03-30 15:52:26 0 d-------- C:\Program Files\FirstClass
2008-03-23 13:30:20 0 d-------- C:\Program Files\Windows Mail
2008-03-09 18:03:32 73 --a------ C:\Windows\system32\ssprs.dll
2008-02-26 07:16:11 0 d-------- C:\Program Files\Prevx2
2008-02-23 09:42:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-23 09:40:52 0 d-------- C:\Program Files\Brother
2008-02-22 18:05:02 100 --a------ C:\Windows\system32\bd9420cn.dat
2008-02-22 17:32:46 0 d-------- C:\Program Files\ScanSoft
2008-02-22 17:32:45 0 d-------- C:\Program Files\Common Files
2008-02-12 16:40:59 0 d-------- C:\Program Files\Avery Wizard 3.1
2008-02-11 19:35:35 0 d-------- C:\Program Files\Common Files\Avery
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [10/30/2006 04:18 PM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 07:12 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/12/2007 11:36 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/14/2007 08:30 AM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 04:43 PM]
"RtHDVCpl"="RtHDVCpl.exe" [03/09/2007 01:50 PM C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [04/23/2007 09:11 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 02:38 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [02/12/2007 10:37 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 04:18 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 02:11 AM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [03/12/2007 02:54 PM]
"CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [12/22/2003 02:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 09:54 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/02/2008 06:07 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [01/02/2008 06:06 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [01/02/2008 06:07 PM]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/14/2006 08:02 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:36 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
Cognizance ASBroker ASChannel
GPSvcGroup GPSvc
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-04-10 18:33:23 ------------

Rorschach112
2008-04-11, 17:00
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png




Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.




You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

taichi
2008-04-12, 02:48
<<Your logs are clean ! We need to do a few things>>

******** YAY *******************

THANK YOU THANK YOU THANK YOU Rorschach!!!!

Before I start the procedures you described, I have some last questions, if you don’t mind? I want to be sure I don’t mess up at this point! Here are my concerns:

1. “Left-over strange items”

[SIZE="4"]I was curious about the different programs, executables, dlls, etc. that were listed in my DSS log that were strange to me. When I googled several of the ones I did not recognize, Prevx web site nearly always described each one as malware, unpredictable, unknown, etc. The following items are from my most recent DSS log file. These are the items I am concerned about. They appear just above the CL\Program files\Trend Micro and the Find 3MReport in the log.

2008-04-06 16:18:19 4926 --a------ C:\Windows\system32\tmp.reg
2008-04-06 16:17:32 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-06 16:17:32 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 16:17:32 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 16:17:32 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 16:17:32 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 16:17:32 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 16:17:32 51200 --a------ C:\Windows\system32\dumphive.exe

One result from my searches was a post from Spybot’s Malware forum from someone with a similar (not exact, of course) problem with a vundo trojan. The poster described having a Vundo Trojan and nearly the same items were listed in that DSS log. See the message near the bottom of the page here: http://forums.spybot.info/showthread.php?t=25534&page=3

About using OTMoveIt2 and the “special list of files to remove.”

FROM POST:
• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
C:\WINDOWS\system32\rqono.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\dumphive.exe
• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

Do you think I should do something similar? Have OTMoveIt2 remove them? Should I get rid of those items before performing your final instructions? If so, would you please help me with the script/folder item or whatever is needed?

Or, do you think it is not necessary? I’m just a little nervous to see things listed on my computer that I don’t recognize and can’t locate much info regarding their purpose/use.

2. I had Prevx installed from my old Windows XP, and when I used PC Mover it came over with it. I didn't like the program on Vista because it was annoying and making everything run slow. I thought I had uninstalled it through add/remove programs, but I still see that program listed in the logs, too. How can I get rid of it? I see you have recommended others, which I will definitely try.

3. I also had McAfee AV transferred over from the old laptop through PC Mover. Again, I thought I had removed it, but it's also still listed. Part of it is still working, too - because once in a while it tries to scan my outlook e-mail. It never shows up as a running process, or service, nor in task manager, so I have no idea what is going on with it. I figured Mcafee was arguing in the background with Norton. :)

4. My desktop background is still black, and I have no wallpaper pictures. Let me see if I can explain. When I try to put on wallpaper through the control panel, it does not work – all I have are “solid colors.” When I use the drop down for Windows Wallpapers, there are NO PIX showing at all. The name of the wallpaper jpeg is listed, but no thumbnail or any view – just a big blank white space. I even tried Themes, and could put on the Windows Classic Wallpaper (plain old blue background). I’ve done a search for the photos and they ARE at C:\Windows\Web\Wallpaper. The wallpaper names are all listed there, but again, just a big blank white space. I copied one of the jpgs, put it on my desktop, and opened it. The graphic is fine. Do you have any ideas about how I can get my wallpaper pictures to work again?

5. Sort of related to that is my actual desktop icons – folders, shortcuts, etc. are as they should be. However, every thing I try to delete from anywhere shows up as a black square. For example, anyfile.doc – if I right click and click delete, I get the confirmation popup. But the thumbnail is a black square. Any suggestions or ideas about what is wrong with it?

I had no problem with either the wallpaper or thumbnails until Vundo and that nightmare began. And, I have not used IE since the day or so after this started happening – ONLY Firefox.  :)

6. Do you think I am close to a clean system restore point?

7. Do you think the vundo/malware/trojan/virii, etc affected any of my MS Word, Excel, or other files? I took all my work files off the computer and put them on DVDs as soon as this started (of course I realize now that would have been too late). I was thinking that when the computer is good again, I could run the AV and spyware programs on the files before I bring them back on. Any suggestions or recommendations?

Thanks for being so patient, conscientious, and helpful!! I think I may be able to sleep tonight for the first time in over a week!! WHEW!!!
:)
-tc

Rorschach112
2008-04-12, 03:33
Wow that is a bright colour :)

These files are legitimate and related to the tools that we used, you can delete them if you wish(I will do it for you)

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\dumphive.exe



How can I get rid of it?
Post me a new DSS log and I will remove PrevX from your system totally



I also had McAfee AV transferred over
Download and run the McAfee Removal Tool from here

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe


No idea about your background problem



Any suggestions or ideas about what is wrong with it?
I think this is due to the malware problem, not sure how to fix it either.



Do you think I am close to a clean system restore point?
Your log is clean, you should make a new system restore point



Do you think the vundo/malware/trojan/virii, etc affected any of my MS Word, Excel, or other files?
No chance. You don't need to run any scanner programs either


Just post a new DSS log and let me know if you have any more questions

taichi
2008-04-12, 08:40
<< Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
(removed the picture)

Did! It wasn’t there, because it would never install correctly, so I deleted the file/folder several days ago.

<<
• Make sure you have an Internet Connection.
• Double-click OTMoveIt2.exe to run it.
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
• Click Yes to beging the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.>>

Did, and reboot = all okay!

<<You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.>>

Did – there were 2 items – a “regular JRE” and another one “Java (T M) “
After uninstalling the two Java programs listed in add/remove programs, when I do a search for Java on the computer, I find these two items:

Java 2 Runtime Environment, SE v1.4.2_03.msi 7/15/2004 {7148F0A6-6813-11D6-A77B-00B0D0142030} c:\Users\Admin\AppData\Local

And an identical item – same date, size in the c:\useradministration\AppDatLocal

Is this okay, or should they be removed/deleted?


<<Download the latest version of Java Runtime Environment (JRE), and install it to your computer from here>>

Did, update was fast and easy. The previous version items in the AppData\Local are still showing up, though. Should I just delete them?

<<Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.>>

I do this. Thanks for reminding me, though, because I had been turning off the automatic updating while I was in the middle of doing the malware/Trojan removal procedures. Just checked to make sure I had it back on again.

<<* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here
* SpywareGuard offers realtime protection from spyware installation attempts.>>

Thanks, I will definitely review and probably install these programs!

<<Make Internet Explorer more secure
• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.>>

I will check to make sure these are on the settings you indicated, just in case. I actually thought I had them that way before. I do not plan to use IE for some time (IF EVER!) I really, really prefer Firefox!

<< * MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.>>

Aha! I think I’ll check it out, also. Thanks!

<<* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here>>


Had it installed already, only wish I had been using it last week!

<<* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place' Here>>

Yes, very informative article!

<Wow that is a bright colour >>
Gee, it sure is. So sorry, I didn’t think it was going to look like that!

<<These files are legitimate and related to the tools that we used, you can delete them if you wish(I will do it for you)
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\dumphive.exe>>

Yes, please I would like it if they were removed

<<Quote:
How can I get rid of it?
Post me a new DSS log and I will remove PrevX from your system totally>>

Log is posted below.

<<Quote:
I also had McAfee AV transferred over
Download and run the McAfee Removal Tool from here
http://download.mcafee.com/products/...tches/MCPR.exe>>


Did!! - Worked great! No problems.

<<No idea about your background problem
Quote:
Any suggestions or ideas about what is wrong with it?
I think this is due to the malware problem, not sure how to fix it either.>>

I’ll keep looking, then. Thank you!

<<Quote:
Do you think I am close to a clean system restore point?
Your log is clean, you should make a new system restore point>>

EXCELLENT!

<<Quote:
Do you think the vundo/malware/trojan/virii, etc affected any of my MS Word, Excel, or other files?
No chance. You don't need to run any scanner programs either>>

This is awesome news!!

<< Just post a new DSS log and let me know if you have any more questions>>

Again, I just cannot thank you enough for all the help you've provided. I am so grateful. Where's the donation area? I thought I saw it when I first arrived here last week?

THANKS!!
-tc



Log below.

********************
Deckard's System Scanner v20071014.68
Run by admin on 2008-04-12 01:25:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as admin.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:34 AM, on 4/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 8174 bytes

-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-08 19:52:40 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-07 19:24:04 0 d--h----- C:\Windows\PIF
2008-04-06 22:15:51 0 d-------- C:\Program Files\Windows Journal
2008-04-06 16:17:32 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 16:17:32 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 16:17:32 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 16:17:32 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 16:17:32 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 16:17:32 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-06 12:57:37 0 d-------- C:\Program Files\Trend Micro

-- Find3M Report ---------------------------------------------------------------

2008-04-12 01:19:33 12 --a------ C:\Windows\bthservsdp.dat
2008-04-12 00:45:58 0 d-------- C:\Program Files\Java
2008-04-11 03:41:50 0 d-------- C:\Users\admin\AppData\Roaming\HP
2008-04-09 22:42:26 0 d-------- C:\Users\admin\AppData\Roaming\PeerNetworking
2008-04-07 23:41:30 0 d-------- C:\Users\admin\AppData\Roaming\Symantec
2008-04-06 22:15:50 0 d-------- C:\Program Files\Microsoft Games
2008-04-06 16:25:49 0 d-------- C:\Users\admin\AppData\Roaming\Corel
2008-04-06 16:18:19 35 --a------ C:\Users\admin\AppData\Roaming\SetValue.bat
2008-04-06 16:18:19 691 --a------ C:\Users\admin\AppData\Roaming\GetValue.vbs
2008-04-06 12:43:02 0 dr------- C:\Users\admin\AppData\Roaming\Brother
2008-04-06 12:40:27 0 d-------- C:\Users\admin\AppData\Roaming\Macromedia
2008-04-06 12:34:49 0 d-------- C:\Users\admin\AppData\Roaming\Talkback
2008-04-06 12:34:32 0 d-------- C:\Users\admin\AppData\Roaming\Mozilla
2008-04-04 19:50:04 0 d-------- C:\Program Files\ACT
2008-04-04 04:10:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-03 21:07:52 0 d-------- C:\Program Files\SPSS15
2008-04-03 18:15:01 0 d-------- C:\Program Files\Norton 360
2008-03-30 15:52:26 0 d-------- C:\Program Files\FirstClass
2008-03-23 13:30:20 0 d-------- C:\Program Files\Windows Mail
2008-03-09 18:03:32 73 --a------ C:\Windows\system32\ssprs.dll
2008-02-26 07:16:11 0 d-------- C:\Program Files\Prevx2
2008-02-23 09:42:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-23 09:40:52 0 d-------- C:\Program Files\Brother
2008-02-22 18:05:02 100 --a------ C:\Windows\system32\bd9420cn.dat
2008-02-22 17:32:46 0 d-------- C:\Program Files\ScanSoft
2008-02-22 17:32:45 0 d-------- C:\Program Files\Common Files
2008-02-12 16:40:59 0 d-------- C:\Program Files\Avery Wizard 3.1

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [10/30/2006 04:18 PM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 07:12 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/12/2007 11:36 PM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 04:43 PM]
"RtHDVCpl"="RtHDVCpl.exe" [03/09/2007 01:50 PM C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [04/23/2007 09:11 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 02:38 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [02/12/2007 10:37 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 04:18 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 02:11 AM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [03/12/2007 02:54 PM]
"CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [12/22/2003 02:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 09:54 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/02/2008 06:07 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [01/02/2008 06:06 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [01/02/2008 06:07 PM]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/14/2006 08:02 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:36 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
Cognizance ASBroker ASChannel
GPSvcGroup GPSvc
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-04-12 01:26:03 ------------

Rorschach112
2008-04-12, 15:57
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Windows\system32\VundoFixSVC.exe
C:\Windows\system32\VCCLSID.exe
C:\Windows\system32\VACFix.exe
C:\Windows\system32\SrchSTS.exe
C:\Windows\system32\Process.exe
C:\Windows\system32\IEDFix.exe
C:\Windows\system32\dumphive.exe
C:\Program Files\Prevx2
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new HijackThis log

taichi
2008-04-12, 19:04
<<1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe>>

Did. However, before I ran HiJackThis, I went into the control panel, and found that Prevx was still listed as one of my programs. Maybe I only thought that I had removed it before, and had not actually done so. At any rate, I used the uninstall feature of Windows add/remove program to remove Prevx first and re-booted. After reboot, looked at Task Manager & saw it was no longer running in services/processes.

Then, I saw that “McTaskManager” (Network Associates Task Manager) was still listed under services, although it was not running. This was after I had already run the Mcafee Removal tool (MCPR.exe). I ran that tool again, and, after reboot, the McTaskManager is still in services (not running).

Do you think it’s okay to just leave it there, not running?

Then, I ran HiJackThis to uncheck the 2 items, but only the O23 Service: VundoFix Service…” was there, so that was all I checked and clicked to fix.

<<2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.>>

Did.


<<Please download the OTMoveIt2 by OldTimer.
• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
[kill explorer]
C:\Windows\system32\VundoFixSVC.exe
C:\Windows\system32\VCCLSID.exe
C:\Windows\system32\VACFix.exe
C:\Windows\system32\SrchSTS.exe
C:\Windows\system32\Process.exe
C:\Windows\system32\IEDFix.exe
C:\Windows\system32\dumphive.exe
C:\Program Files\Prevx2
purity
[start explorer]
• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.>>

Did. Here is OTMoveIt2 log:

Explorer killed successfully
C:\Windows\system32\VundoFixSVC.exe moved successfully.
C:\Windows\system32\VCCLSID.exe moved successfully.
C:\Windows\system32\VACFix.exe moved successfully.
C:\Windows\system32\SrchSTS.exe moved successfully.
C:\Windows\system32\Process.exe moved successfully.
C:\Windows\system32\IEDFix.exe moved successfully.
C:\Windows\system32\dumphive.exe moved successfully.
File/Folder C:\Program Files\Prevx2 not found.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04122008_112810

<<Reboot and post a new HijackThis log>>

Did. Here is HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:06 AM, on 4/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Unknown owner - VundoFixSVC.exe (file missing)
--
End of file - 7943 bytes


[B]Note the “O23 – Service: VundoFix…” is still listed, although it shows file missing. Is it still installed?

Is it okay to leave HiJackThis and some of the other programs such as Deckard DSS and OTMoveit2 on my laptop?

For all the fixes I’ve done under your direction, I have been logged on as admin instead of my user a/c – which is also an administrator. In the beginning when all of this started, I would be okay for a while logged on as admin. However, as soon as I logged on my user a/c, or switched over to my user a/c, then the malware/Trojan/crazy popups would start. So, I have not been on that a/c at all since I started posting here.

After posting this reply, I’m going to reboot all and log on as my user a/c. If I have any issues with this, I will report back, and also look for your replies to my last questions.

Thanks!! You have been a miracle worker!! I’ve learned so much with your help! :-)
-tc

Rorschach112
2008-04-12, 19:21
One last thing

Click Start > Run > Copy and paste the following in bold sc delete VundoFixSvc > Click ok



Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Then tell me if you have any more questions before we close the thread

taichi
2008-04-12, 22:53
Hi Rorschach,

Thanks for the speedy reply. I tried my user a/c and it was fine, too.

I do have a question before you close this message thread. Recommendations or suggestions are appreciated.

Should I do a disc defrag or any sort of general system cleanup/maintenance before I create a clean
system restore and recovery discs?

You didn't ask, but I ran one more HiJackThis system scan and log for you, just in case you need it.
I think that last procedure you had me do completely removed the VundoFixSvc. I put the log below.

I am so happy I found this forum! What an incredible, valuable service.
My problems are solved, thanks to your generous time and assistance.

You have been such a great help. Your instructions have been straightforward and easy to follow.

I'll be back because this is a great resource. But, ONLY to read, NOT with problems! :-)

Makes me happy knowing that there are talented and kind people willing to help.
May you have a long and gentle life.

-gratefully,
taichi



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:30 PM, on 4/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7790 bytes

Rorschach112
2008-04-13, 00:16
Log looks good


Should I do a disc defrag or any sort of general system cleanup/maintenance before I create a clean
system restore and recovery discs?
Doesn't matter really. You can do it whenever


Anything else ?

taichi
2008-04-13, 01:14
No, that's all.
Thanks!

Rorschach112
2008-04-13, 02:19
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

taichi
2008-04-14, 18:39
Please help. I think SmitFraud and Virtumonde are back.

I am running SpyBot this morning and it is running right now and already shows Virtumonde 4 entires and Smitfraud-C. I am on another computer while it is running.

What should I do next? Is there a LOG for Spybot that would help you find what's going on?

Thanks in advance.
-Taichi

Rorschach112
2008-04-14, 18:56
Post a new HijackThis log there

Spybot could just be finding the stuff we quarantined

taichi
2008-04-14, 19:20
Hi,
I'm sorry to panic like this, but, I was worried when I ran Spybot.

As you said, I ran Hijackthis and log is below.

Although I couldn't find a Spybot log, I printed what was on the screen. I did NOT check it to fix anything. I just printed and closed it.

Spybot found Smitfraud-C: Settings --several lines of entries in
registry keys (plain) and also registry keys for
Browser Helper, Library, Class ID.

Also found Smitfraud-C in the following files all in the C:\Windows directory:
/base64.tmp
/zip1.tmp
/zip2.tmp
/zip3.tmp
/zipped/tmp
/Web/def.htm

I looked in MyComputer in those locations, and those files WERE there, and they were the old date when everything started going bad (4/2/2008). I have no idea about registry keys, though, as I don't mess with those.

SpyBot found Virtumonde in Settings - Registry keys in
HKEY_USERS ....lots of numbers, etc..(3 of these found)
and
HKEY_LOCALMACHINE/SOFTWARE?Microsoft?aoprndtws

Here's Hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:58 PM, on 4/14/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2093760284-1564289979-1210224223-1000\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'EAA')
O4 - HKUS\S-1-5-21-2093760284-1564289979-1210224223-500\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Administrator')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8706 bytes

Thank you.
Taichi

Rorschach112
2008-04-18, 02:41
Sounds like orphaned entries, I wouldn't worry too much

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Windows/base64.tmp
C:\Windows/zip1.tmp
C:\Windows/zip2.tmp
C:\Windows/zip3.tmp
C:\Windows/zipped/tmp
C:\Windows/Web/def.htm
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Then reboot and run a full scan with Spybot and save the log and post it here

taichi
2008-04-19, 18:24
Hello, thanks for answering.

First thing, because I keep forgetting to mention this, and it may be important -- I am still running in “system configuration” mode. When I was in the midst of running all the different programs/cleaners, during the “Terrible Trojan/Malware” days and nights, I also was looking for running processes or start up items that were causing problems. I used msconfig. Items I didn’t particularly recognize or want, I disabled (stopped) them. BUT, ever since, I left msconfig running in “Selective Startup.” I saw a notice at Microsoft’s site that we shouldn’t keep starting in this mode, that it’s not stable, or something. MS says to allow normal startup and if programs are causing problems, just remove them, or have preferences for that program NOT to run at start up.

Should I enable everything, do a normal startup and see what happens? Post a log or something?

I have been trying to get back to "normal," with this laptop, but still have not done online shopping or banking, because I'm afraid trojan/malware programs are lurking around here somewhere.

New things:

I have been having to do some “hard shut downs” off and on, again, because Windows “hangs” at shut down/restart and won’t budge.

Steps I’ve taken since I posted last:

1. I re-ran Spybot Search & Destroy again and clicked FIX on the Virtumonde (4 entries) and Smitfraud-C (31 entries) registry key and file problems it found. I rebooted and re-ran Spybot, and it did not report those files, again. I looked in c: drive and couldn’t see them, so I think they are gone. I’ve updated, immunized, and re-run Spybot several times, and it still does not find those entries. Do you still want me to run the MOVE IT by Old Timer, in case Spybot did not delete them all??

2. For programs that I no longer use, or didn’t remember I had (for example, they were put on this laptop when I used PC Mover), here’s what I did. I “enabled” a particular service/program in msconfig, THEN, went to Windows add/remove programs, and UNINSTALL the program. Sometimes this worked, more often it did not. Not sure what step I am missing on this.

3. I ran Windows Defender & Norton several times – quick and full scans, with nothing unusual reported. I also began downloading and running the following protection programs (most of which, you recommended):

--- Spyguard would not work for me. After I installed it, Windows Installer kept popping up at restart, trying to “install” a program of mine that was moved onto this laptop with PCMover ( “Amos 5.0” a Structural Equation Modeling statistical program). It would hang up the start up and had to CAD to get rid of it. So, I ended up un-installing Spyguard, which solved the Windows Installer appearing at startup problem.

--- Spyware Blaster. I’m not sure exactly what it is doing or how it is supposed to work, but I’ve run it a few times. I enabled all the protection, and checked for updates (none), and I made sure to take a “system snapshot,” as well as a “registry snapshot.”

--- IESpyad – Again, I’m not sure what it did, other than apparently put lots of restricted sites in Mozilla’s Firefox browser.

--- Adaware 2007 from Lavasoft. I installed, updated, ran & it found 3 tracking cookies, that I let it remove.

--- Malwarebyte’s Anti-Malware. Downloaded & updated & ran. It found 9 things:
Vendor Category (Some long, long, numbers here)
Adware.Coupons Registry Key
Trojan.Agent File
Malware.Trace Registry Key
Spyware.MarketScore File
Malware.Trace Registry Key
Malware.Trace Registry Key
Malware.Trace Registry Key
Trojan.Vundo Registry Key
Trojan.Agent File (C:\users\(my user name) | g2mdlhlpx.exe (?) no idea

I had Malwarebyte remove all of them, rebooted, and re-scanned, and it did not show them again.

I have a few questions, and hope you can help with answers:

1. About the “system configuration” / selective startup mentioned at beginning. Should I use Run>msconfig, and set it for a “normal” startup, then run HJT again (or Deckards System Scanner) and post a new log after everything is supposedly running/starting?

2. Is it okay to use ERUNT Registry backup program, to make a “newer/cleaner” registry copy?

3. Should I make a new Restore Point, because of the other miscellaneous things that were found / fixed since I thought I was clean last week? In VISTA Home Premium Edition, it only keeps ONE restore point, not several. If yes, would you tell me where I find that? I can’t recall how I did it, nor locate my otherwise copious notes regarding this.

4. Internet Explorer does not work at all. I think I uninstalled it, or maybe just disabled it, when all the problems started, and I didn’t care if I ever saw IE again, because I like using Mozilla’s Firefox, less vulnerability, etc. But, I thought I read somewhere in the past week on Microsoft’s site that Windows will not update through another browser, only through IE. Do you know if this is true? Do you think I should re-install or try to get IE to work, just so I can get updates (I seriously am NOT going to purposely use it again)? Also, Kaspersky’s Online Scanner would not work with Firefox for me.

5. Is there a legitimate site somewhere that lists and updates all the “fake” spyware remover tools that I can look at? When the Trojan stuff started, I did not know about all the fake remover sites/programs such as “Spy Sheriff.” Also, the fake Windows security alerts that were trying to direct me to PC-Antispyware web site – I did not know that this was a well-known trojan/malware site. I also did not know that there is a FAKE Spybot search and destroy program. Does Spybot keep a list if these fakes?

Thanks in advance for any help you can give!!
TaiChi

taichi
2008-04-20, 01:23
Hi again,

Sorry to be a such a pain. If the information I need is posted somewhere, just point me in the right way and I’ll go there. Thanks!

I am still running MSconfig in “selective” mode. I haven’t changed to full, normal yet.

So, I am concerned that I may not really be correctly running the Spybot or HJT. Also, not sure if my HJT logs would be showing all the services and processes that are actually still “loaded” (if that’s the correct term), but not currently “running.” As I described before, I went into MSconfig & disabled in either startup or running process several items that I was uncertain about, and have left them that way. Does it matter?

I went online to do some research and checked the files listed below at bleepingcomputer.com, what-is-exe.com, and processlibrary.com, and checked all the DLL and exe files from the HGT log to make sure that the services/registry items listed in were actually okay and not bogus. There were three items that results came back as being spyware or hijacker. I made sure when searching the items that I entered the exact spelling and capital letters as listed in my HJT log. The first two items are supposedly “Searchcentrix Hijacker” – and not the legitimate one, because of the capital letter S for sidebar, instead of lower case, and where it’s located.

O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘LOCAL SERVICE’)

And the same item, but listed for “NETWORK SERVICE” instead of “LOCAL SERVICE”)

O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘NETWORK SERVICE’)

Note, I am running Windows Vista, and several months ago, I disabled the new Vista sidebar “gadget” from appearing, because it was annoying and useless to me. I don’t recall how I did that, maybe it was a preference.

The third item was reported as “spyware related to DownloadWare and found in Program FilesKFH.”

O4 – HKLM\..\RunOnce: [Launcher] %WINDIR%|SMINST\launcher.exe

All 3 items are very, very similar to legitimate items, that’s why I didn’t notice them before.

By the way, the web site "what-is-exe.com" didn’t show info on launcher, and only showed the sidebar as being Vista’s. The process library web site sort of agrees with bleepingcomputer and reports that launcher.exe, is a program for windows desktop downloader software from Intercort Systems, to monitor browsing habits, and send info back to the author, and that it’s a security risk. I actually never installed anything like that purposely.

I don’t know what to think – are these items okay?

Also updated & ran Spybot again this afternoon, but it didn’t find anything. I keep getting the same error near the end of the scan “Include Error File C:\Program..Files \Spybot\...Include \TrojansC.sbi” When I look for an “include report,” I can’t locate a log or anything. I’ve looked at Spybot S & D> Mode > Advanced > Tools > View Report. Can’t seem to find an includes error report. I did see the huge report, but not much help to me! :-/

I also looked at Spybot S & D’s System Start Up tool. I don’t know what the yellow and green highlighting mean in the items, there are no legends to tell. But, the ONE “Launcher” item listed above is highlighted in RED. I didn’t touch anything, just closed Spybot. I looked over in the Spybot forum but didnt find anything about highlighting.

Is there anything I should be doing? Should I turn windows configsys back on to normal startup and let everything run? & do a new hi jack with everything on?

I feel like I’m asking really simple/dumb questions, that I probably should know these things, but I don’t. I’m clueless and frustrated, sorry. I think in the past two weeks, I've lost whatever few working neurons I had :-/

Thanks in advance for any help you can give!
TaiChi

PS I haven’t made a donation because I am NOT doing any online things related to bank/credit card/money/shopping, etc., until I think the computer is totally secure. Please know that I am incredibly grateful for your assistance.

Rorschach112
2008-04-21, 03:13
Hello

Do Normal Startup if you wish, but selective startup is fine


Can you post the OTMoveIt2 and Spybot logs


Yes you can make a new registry point now that you are clean with ERUNT, same for the System Restore points



Here is a site for fake spyware programs

http://www.spywarewarrior.com/rogue_anti-spyware.htm



As for all those HJT entries you listed, they are all legitimate and shouldn't be fixed. That is why we don't use those automated scanners, they are terrible


Are you having any visible problems ?

taichi
2008-04-21, 15:59
Good morning,

<<As for all those HJT entries you listed, they are all legitimate and shouldn't be fixed. That is why we don't use those automated scanners, they are terrible>>

About these items:
O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘LOCAL SERVICE’)

O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘NETWORK SERVICE’)

O4 – HKLM\..\RunOnce: [Launcher] %WINDIR%|SMINST\launcher.exe

I actually didn’t use an online/automatic scanner, I typed the file names in those sites as a search. The information about the files came back from bleeping computer like below. When I type in sidebar.exe in the search, it shows 3 items, and the second one, with the "S" in caps both times, is the one I have.

http://www.bleepingcomputer.com/startups/

like below. I hope the table/info shows. The second listed sidebar is the way mine is capitalized (cap both times).

Name
Filename
Status
Description
sidebar
dsidebar.exe
U Related to Desktop_Sidebar provides you with instant access to the information you most desire by grabbing data from your PC and the internet. The re ... Read More

Sidebar
Sidebar.exe
X Searchcentrix hijacker

Sidebar
sidebar.exe
U The Windows Vista sidebar that allows you to add gadgets, rss feeds, and other information. ... Read More

And when I type in launcher.exe, Bleeping showed:

Launcher launcher.exe X Spyware component related to DownloadWare and found in Program FilesKFH


<<Are you having any visible problems ?>>

Slow load of firefox and starup items, and the computer has been hanging/stopping and I have to do a hard shut down.

About the logs-
Okay, when I get back from day job, I will post logs this evening.

thank you very much!
TaiChi

Rorschach112
2008-04-21, 16:32
You have nothing to worry about, don't need to see those logs as your PC is clean

Just do this then we are all done



Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



That is it, all done :)

taichi
2008-04-23, 01:56
Hi again,

Okay, if you think all is clear, I will act on your determination that everything is fixed. Thank you!!

One last item? Can you point me in the right direction, or answer a question about using the "ERUNT" restore registry?

I was concerned about "ownership" of the folders, because I had only set up "admin" and MY user name "EAA-PC," NEVER anyone else.

But, there were 3 types of "users" showing up in C:\winders\Users that I never set up -- "administrator" "Public" and "TrustedInstallers." These also had some temporary folders and other items that I had not put there and they were dated within the day or two following my major Virtumondo Smitfraud Abebot Downloader trojan/virii problems. I made sure I had deleted everything they had in them, last week, and I thought I deleted them, but they still show up on c drive. I read on micro-soft site that I really need to "take ownership" of any users/folders, and then delete the items so they wouldn't come back. I need to stop reading, I think! :-/

Anyway, the bottom line - I "took ownership" this morning, but something sort of unusual (probably bad) happened. It took a long time to change from "TrustedInstaller" to my admin user, and around "Symantics" folder I received a popup that an error occured and was denied, did I want to cancel or proceed, so. . . I cancelled the ownership. Then I received a popup that said this was probably not a good choice and the system would not be stable. I tried immediately to change ownership to "TrustedInstaller" (that's who owned my Cdrive), but no such "person/object/built in security principal." So, the computer hung up for a long time, then stopped responding. I switched to my user account and keep getting a notice "The recycle bin on C;\ is corrupted. Do you want to empty it?" I didn't know, so I said "no." Were you able to understand what I did?

Well, my question is:

If I use the ERUNT registry restore, which I had JUST DONE last night (before the ownership thing) ...will this put ownership back to "TrustedInstaller" and fix whatever I messed up this morning? I just got home this evening and didn't want to turn the laptop off or do anything. I'm afraid if I turn it off, it will not come back again! I made sure it is not connected to internet.


Thanks in advance for ERUNT directions, etc!! Maybe the clean System Restore I made before the "ownership" thing this morning would work better?
-TaiChi


And, look ---> Instead of copy/paste, I just NOW learned how to use the "quote" feature! :-)


You have nothing to worry about, don't need to see those logs as your PC is clean

Just do this then we are all done



Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

That is it, all done :)

Rorschach112
2008-04-23, 02:01
I'd say System Restore would be your best bet

Not much advice I can give you concerning that, it is more of a tech issue

Anything else ?

taichi
2008-04-23, 02:09
Okay, Thanks!!

Rorschach112
2008-04-23, 02:09
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

taichi
2008-04-24, 00:56
I just want to say again THANKS so much for helping me remove the virus, trojan and malware and related garbage.

Norton just gave up the ghost this morning, and is reporting: "not protecting your PC." But I will call them tonight or tomorrow and see if they can fix THEIR program. After I also make sure the ownership thing on all my folders are okay and I have a working A-V I will definitely make a donation! This forum is a great resource - for all levels of computer experience. :-)

Rorschach - you were awesome!!

-TaiChi


<<Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.>>