PDA

View Full Version : Trojan posing as CODEC, incessant registry edit attempts



snake_mearano
2008-06-12, 22:08
Hi

Recently I got a popup from a site that I needed the latest codec in order to view a movie, and I knew it was suspicious. It was stupid on my part, I saw "Active X control" and immediatly suspected it, but I did the wrong thing and clicked on it anyway. First, AVG said that it detected a Trojan, I hit "Heal". Then it detected another, so i clicked "Move to Vault"

Then, spybot came up with a popup, saying that a value change for my registry was trying to happen; a "tuvWmLCR" WinLogon Notifier, but I denied it twice since I wasn't going to let anything happen to my registry after getting infected. The second time, I blacklisted the change in Spybot, but it keeps popping up incessantly. (and as I key this, it's started with a Browser Helper Object "82600013-9D14-4011-9475-08D18B93C1AD") Both of which are incessantly trying to change, but spybot has them both blacklisted, as I said.

After that I immediately yanked my network cable in case it decided to try and communicate with anything I didn't want it to, and it's been unplugged since. I only replugged it long enough to download and run HiJackThis, which I've gotten a log for, and I'm posting from my wife's clean laptop. AVG Scanner completed with no results

Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:46 PM, on 12/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDrSmartMonitor] "C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" -r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [69e2c992] rundll32.exe "C:\WINDOWS\system32\yidehwrk.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9002 bytes

Got some more info for ya. Spybot scanned and came up with these results:

Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-929163241-3490884053-785198037-1007\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $E7C36CB1] Executable (File, nothing done)
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\removalfile.bat

Virtumonde.dll: [SBI $7442D4BC] Library (File, nothing done)
C:\WINDOWS\system32\hgGaYPjH.dll

Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82600013-9D14-4011-9475-08D18B93C1AD}

Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82600013-9D14-4011-9475-08D18B93C1AD}

Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82600013-9D14-4011-9475-08D18B93C1AD}

Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82600013-9D14-4011-9475-08D18B93C1AD}

MediaPlex: Tracking cookie (Internet Explorer: Compaq_Administrator) (Cookie, nothing done)

WebTrends live: Tracking cookie (Internet Explorer: Compaq_Administrator) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-05-14 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-16 Includes\Adware.sbi (*)
2008-05-14 Includes\AdwareC.sbi (*)
2008-05-14 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-05-14 Includes\DialerC.sbi (*)
2008-05-14 Includes\HeavyDuty.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-05-14 Includes\HijackersC.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-05-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-05-14 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-05-14 Includes\PUPSC.sbi (*)
2008-05-14 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-05-14 Includes\SecurityC.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-05-14 Includes\SpybotsC.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-05-14 Includes\SpywareC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-04-30 Includes\Trojans.sbi (*)
2008-05-14 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Tried to Fix the Selected Problems, came up with some "Spybot Deleted" registry change prompts and allowed them, Running another bot-check now, but I have to go to work soon, so I might not be able to post the results today. Hopefully tonight. Popups are still coming up from denied registry changes to the two I mentioned.

Please help! Greatly appreciated!

pskelley
2008-06-13, 21:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

For your information:
http://forums.spybot.info/showthread.php?t=7344

Probably this infection:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT.exe, call it snake_mearano.exe that will work. The hackers hide their junk from HJT and we may be able to see it after a restart.

3) Restart the computer and post a new HJT log.

Thanks

snake_mearano
2008-06-13, 21:33
Hi PSKelley;

Firstly, thanks for your help. this thing has been kicking my butt for two days now. Everything I seem to try just keeps coming back. i took the liberty of deleting the virus stored in my AVG vault, thinking that it may be adding to my troubles (even though it's in the vault so it shouldn't, but whatever.) I also disabled TeaTimer and the resident sheild in AVG too.

But I have a question. TeaTimer was the only thing holding back the registry edit attempts that the virus was trying to make. Won't this simply allow it to do as it will?

Okay, I've restarted, but it's taking nigh-on forever to get anything loaded. Also, my taskbar is nothing but blackness. I opened up the task manager and tried to restart explorer.exe, but that hasn't done the trick. there was also a "reader" process that was running, so i closed it, but I still haven't gotten any results.

Okay. it was freezing up until I finally got it down the list to see that spybotsd.exe was sucking up 99% of my processor power. I closed it and now I'm started up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:49 PM, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\snake_mearano.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2FB68C59-C098-415B-8563-837B33DD7D0D} - C:\WINDOWS\system32\tuvWmLCR.dll
O2 - BHO: (no name) - {3AF5BF64-A77C-4115-99E6-490C9FB43F30} - C:\WINDOWS\system32\yayaArqP.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82600013-9D14-4011-9475-08D18B93C1AD} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDrSmartMonitor] "C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" -r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: tuvWmLCR - C:\WINDOWS\SYSTEM32\tuvWmLCR.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9841 bytes

Thanks again.

pskelley
2008-06-13, 21:55
Thanks for returning your information, I don't want to get to bogged down in questions in the beginning, but...

i took the liberty of deleting the virus stored in my AVG vaultI am running AVG 8 (free) also, and I notice it is fairly agressive from startup. I leave the stuff it quarantines in the vault for about a week before dumping the junk, just so I don't have to look at everything it removes. There have been a few instances where it removed stuff it should not. Like all new programs, it has growing pains to go through and I believe it is an excellant free program.

I have nothing against TeaTimer though I personally prefer SpywardGuard which does the same job. What is going to happen during the early part of the battle against this infection is going to happen. That is bad enough without constantly having to deal with TeaTimer, which is one reason I turn it off. The other is because the memory keeps stuff in the HJT log that we want to remove.

Okay. it was freezing up until I finally got it down the list to see that spybotsd.exe was sucking up 99% of my processor power. I closed it and now I'm started up.
As good of a program as Spybot is, it can not do everything and it can not remove this infection at this point. Close it and leave it closed until you are clean, then go back to using it to control what is can.

Moving right to our most powerful tool, follow the directions carefully:

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks...Phil

snake_mearano
2008-06-13, 23:04
Alrighty, ran ComboFix and came up with this log:

ComboFix 08-06-11.7 - Compaq_Administrator 2008-06-13 13:10:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -6:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\CALIBRIB.TTF
C:\WINDOWS\system32\gpukyxkk.dll
C:\WINDOWS\system32\HjPYaGgh.ini
C:\WINDOWS\system32\HjPYaGgh.ini2
C:\WINDOWS\system32\kkxykupg.ini
C:\WINDOWS\system32\krwhediy.ini
C:\WINDOWS\system32\PqrAayay.ini
C:\WINDOWS\system32\PqrAayay.ini2
C:\WINDOWS\system32\tuvWmLCR.dll
C:\WINDOWS\system32\yayaArqP.dll
C:\WINDOWS\system32\yidehwrk.dll
C:\WINDOWS\winhelp.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-13 00:44 . 2008-06-13 00:46 <DIR> d-------- C:\!KillBox
2008-06-12 11:51 . 2008-06-12 11:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-10 18:41 . 2008-04-14 05:01 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:41 . 2008-04-14 05:01 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 12:36 . 2008-06-09 12:36 244 --ah----- C:\sqmnoopt00.sqm
2008-06-09 12:36 . 2008-06-09 12:36 232 --ah----- C:\sqmdata00.sqm
2008-06-09 12:36 . 2008-06-09 12:36 172 --ah----- C:\sqmnoopt01.sqm
2008-06-09 12:36 . 2008-06-09 12:36 172 --ah----- C:\sqmdata01.sqm
2008-06-09 12:35 . 2008-06-09 12:35 <DIR> dr-h----- C:\Documents and Settings\Compaq_Administrator\Application Data\SecuROM
2008-06-09 00:17 . 2008-06-09 00:17 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-06-08 23:56 . 2008-06-08 23:56 <DIR> d-------- C:\Program Files\Eidos
2008-06-08 23:25 . 2008-06-08 23:25 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-06 22:04 . 2008-06-06 22:04 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-06 22:04 . 2008-06-06 22:04 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-06 22:03 . 2008-06-06 22:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 13:45 . 2008-05-30 13:45 <DIR> d-------- C:\Program Files\DScaler5
2008-05-30 13:42 . 2008-05-30 13:42 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Media Player Classic
2008-05-30 13:35 . 2008-05-30 13:35 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\vlc
2008-05-30 13:35 . 2008-05-30 13:35 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\dvdcss
2008-05-30 13:32 . 2008-05-30 13:32 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-30 12:45 . 2008-05-30 12:45 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-30 12:43 . 2008-05-30 13:37 <DIR> d-------- C:\Program Files\InterActual
2008-05-29 17:56 . 2008-05-29 17:56 <DIR> d-------- C:\Program Files\RamBooster 2.0
2008-05-29 17:26 . 2008-05-29 17:26 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-29 17:13 . 2008-05-29 17:13 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-29 17:02 . 2008-05-29 17:29 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-29 12:29 . 2008-05-29 12:29 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-28 21:13 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-05-28 21:13 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-05-28 21:13 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-05-28 21:13 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-05-28 21:13 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-28 21:13 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-05-28 21:13 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-05-27 17:08 . 2008-05-27 17:08 169,122 --a------ C:\WINDOWS\al_blamingme.wav
2008-05-27 17:06 . 2008-05-27 17:06 12,988 --a------ C:\WINDOWS\buttonclickrelease.wav
2008-05-27 16:56 . 2008-05-27 17:09 <DIR> d-------- C:\Program Files\GCFScape
2008-05-27 16:29 . 2008-05-27 16:29 <DIR> d-------- C:\Program Files\illiminable
2008-05-27 15:10 . 2007-03-07 22:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-05-27 15:10 . 2007-03-07 22:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-05-27 15:09 . 2007-03-30 09:07 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-05-27 15:09 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-05-27 15:09 . 2007-03-07 22:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-05-27 15:08 . 2007-03-17 10:11 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll
2008-05-27 15:08 . 2007-03-17 10:11 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll
2008-05-27 15:08 . 2007-03-07 22:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-05-27 15:08 . 2007-03-07 22:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-05-27 15:08 . 2007-03-17 10:11 303,104 -ra------ C:\WINDOWS\system32\hpovst10.dll
2008-05-26 23:54 . 2008-05-29 16:59 <DIR> d-------- C:\Program Files\Google
2008-05-26 17:49 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-26 13:21 . 2008-04-04 11:15 9,347,072 --a------ C:\WINDOWS\system32\dzcore.dll
2008-05-26 13:21 . 2008-04-04 11:05 6,131,712 --a------ C:\WINDOWS\system32\daz-qt-mt.dll
2008-05-26 13:21 . 2008-04-04 11:00 2,076,672 --a------ C:\WINDOWS\system32\dz3delight.dll
2008-05-26 13:21 . 2008-04-04 11:05 1,785,856 --a------ C:\WINDOWS\system32\daz-qsa.dll
2008-05-26 13:21 . 2008-04-04 11:17 49,152 --a------ C:\WINDOWS\system32\dzcarrara.dll
2008-05-26 13:21 . 2008-04-04 11:17 33,280 --a------ C:\WINDOWS\system32\dzbryce6.dll
2008-05-26 13:21 . 2008-04-04 11:16 26,624 --a------ C:\WINDOWS\system32\dzwrapper.dll
2008-05-26 13:19 . 2008-05-26 13:19 <DIR> d-------- C:\Program Files\DAZ
2008-05-26 13:19 . 2008-05-26 17:08 <DIR> d-------- C:\Program Files\Common Files\DAZ
2008-05-25 10:47 . 2007-09-14 12:34 11,776 --a------ C:\WINDOWS\system32\drivers\pdiddcci.sys
2008-05-25 10:46 . 2008-05-25 10:46 62,009 --a------ C:\WINDOWS\system32\wpfb_ati2dvag.dll
2008-05-25 10:46 . 2006-11-16 17:20 15,920 --a------ C:\WINDOWS\system32\drivers\PdiPorts.sys
2008-05-24 12:01 . 2008-05-26 12:34 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-23 18:07 . 2008-05-23 18:07 <DIR> d-------- C:\Program Files\CCleaner
2008-05-23 17:35 . 2008-05-23 17:43 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Uniblue
2008-05-22 08:53 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-22 08:53 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-22 08:53 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-21 19:34 . 2008-05-21 19:35 <DIR> d-------- C:\Program Files\Windows Live
2008-05-21 19:34 . 2008-05-21 19:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-21 19:34 . 2008-05-21 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-21 17:27 . 2008-05-21 17:27 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Saved Games
2008-05-21 17:27 . 2008-05-21 17:27 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Flood Light Games
2008-05-21 17:27 . 2008-05-21 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-05-21 17:27 . 2008-05-21 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-05-20 09:11 . 2008-05-20 09:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-20 09:05 . 2004-12-10 21:50 <DIR> d-------- C:\Program Files\images
2008-05-20 09:05 . 2004-12-12 19:13 208,896 --a------ C:\Program Files\3DAnalyze.exe
2008-05-20 09:05 . 2004-12-10 21:44 90,112 --a------ C:\Program Files\hook_3DA.dll
2008-05-20 09:05 . 2004-12-10 21:44 52,736 --a------ C:\Program Files\ForceDLL.dll
2008-05-19 09:35 . 2008-05-19 09:37 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SecondLife
2008-05-17 21:39 . 2008-05-17 22:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-17 21:36 . 2008-05-18 10:18 <DIR> d-------- C:\Program Files\MSN Games
2008-05-15 13:01 . 2008-05-15 13:38 <DIR> d-------- C:\Program Files\Project64 1.6
2008-05-15 09:46 . 2008-05-15 09:46 331 --a------ C:\WINDOWS\doom3.ini
2008-05-14 15:37 . 2008-06-13 13:11 <DIR> d-------- C:\Program Files\DNA
2008-05-14 15:37 . 2008-06-13 13:28 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\DNA
2008-05-14 08:46 . 2008-05-14 08:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-14 08:46 . 2008-05-14 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 08:45 . 2008-05-14 08:45 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-13 23:34 . 2008-06-12 12:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-13 22:57 . 2008-06-12 10:35 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-13 22:57 . 2008-05-14 08:47 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\AVGTOOLBAR
2008-05-13 22:57 . 2008-05-13 22:57 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-13 22:57 . 2008-05-13 22:57 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-13 22:57 . 2008-05-13 22:57 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 22:56 . 2008-05-13 22:56 <DIR> d-------- C:\Program Files\AVG
2008-05-13 22:56 . 2008-05-13 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-13 18:40 . 2008-05-13 18:40 <DIR> d-------- C:\Program Files\MSBuild
2008-05-13 18:36 . 2008-05-31 17:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-13 18:35 . 2008-05-13 18:35 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-13 18:34 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-13 18:27 . 2008-05-29 17:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-13 18:23 . 2005-04-28 13:16 274,432 --a------ C:\WINDOWS\system32\dllcache\SET4E.tmp
2008-05-13 18:23 . 2005-04-27 18:12 245,248 --a------ C:\WINDOWS\system32\dllcache\SET4C.tmp
2008-05-13 18:23 . 2005-04-28 13:16 215,552 --a------ C:\WINDOWS\system32\dllcache\SET4B.tmp
2008-05-13 18:23 . 2005-04-28 13:16 193,024 --a------ C:\WINDOWS\system32\dllcache\SET4A.tmp
2008-05-13 18:23 . 2005-04-28 13:16 133,120 --a------ C:\WINDOWS\system32\dllcache\SET50.tmp
2008-05-13 18:23 . 2005-04-27 18:12 103,424 --a------ C:\WINDOWS\system32\dllcache\SET4D.tmp
2008-05-13 18:23 . 2005-04-28 13:16 19,968 --a------ C:\WINDOWS\system32\dllcache\SET4F.tmp
2008-05-13 17:01 . 2008-05-13 17:01 <DIR> d--hs---- C:\found.000
2008-05-13 16:43 . 2008-05-13 17:58 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-13 16:43 . 2008-05-13 17:58 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-13 16:43 . 2008-05-13 17:58 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-13 16:43 . 2008-05-13 17:57 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-13 16:33 . 2004-08-09 15:00 5,650,432 --a------ C:\WINDOWS\system32\dllcache\logonui.exe
2008-05-13 16:32 . 2007-10-25 21:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-13 16:25 . 2008-04-13 18:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-05-13 16:23 . 2006-12-28 13:01 19,569 --a------ C:\WINDOWS\003235_.tmp
2008-05-13 16:10 . 2008-05-13 16:10 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\DivX
2008-05-13 10:47 . 2008-05-13 10:47 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-13 10:47 . 2008-05-13 10:49 <DIR> d-------- C:\WINDOWS\NV1763380.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 05:49 --------- d-----w C:\Program Files\Steam
2008-06-09 17:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 23:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-29 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-29 23:00 --------- d-----w C:\Program Files\HP
2008-05-29 18:26 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\AdobeUM
2008-05-27 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-26 23:49 --------- d-----w C:\Program Files\Java
2008-05-25 16:52 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\DisplayTune
2008-05-25 16:46 --------- d-----w C:\Program Files\Common Files\Portrait Displays
2008-05-22 01:36 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 01:49 --------- d-----w C:\Program Files\Common Files\HP
2008-05-15 15:46 --------- d-----w C:\Program Files\Doom 3
2008-05-15 15:36 --------- d-----w C:\Program Files\VstPlugins
2008-05-15 15:36 --------- d-----w C:\Program Files\Image-Line
2008-05-15 15:34 --------- d-----w C:\Program Files\Microsoft Works
2008-05-11 20:40 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-05-11 19:27 --------- d-----w C:\Program Files\Microsoft Games
2008-05-10 00:25 --------- d-----w C:\Program Files\DivX
2008-05-09 01:41 --------- d-----w C:\Program Files\QuickTime
2008-05-09 01:41 --------- d-----w C:\Program Files\iTunes
2008-05-09 01:41 --------- d-----w C:\Program Files\Bonjour
2008-05-09 01:41 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 01:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HPQ
2008-05-09 01:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DisplayTune(2)
2008-05-08 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-05-08 19:00 --------- d-----w C:\Program Files\ATI Technologies
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 05:18 --------- d-----w C:\Program Files\D-Link
2008-05-08 05:15 --------- d-----w C:\Program Files\Lavasoft
2008-05-08 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-08 05:09 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Apple Computer
2008-05-08 05:08 --------- d-----w C:\Program Files\iPod
2008-05-08 05:06 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-07 22:20 --------- d-----w C:\Program Files\Portrait Displays
2008-05-07 22:19 --------- d-----w C:\Program Files\Acer Display
2008-05-03 12:23 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\gtk-2.0
2008-05-03 04:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-20 20:27 --------- d-----w C:\Program Files\Diablo II
2008-04-14 06:09 --------- d-----w C:\Program Files\FRONTIER GROOVE
2008-04-14 05:40 3,254 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2004-12-13 01:17 7,667 ----a-w C:\Program Files\releasenotes.txt
2004-12-13 01:04 1,069,056 ----a-w C:\Program Files\dat3.000
2004-12-11 03:55 39,532 ----a-w C:\Program Files\help.html
2004-12-11 03:45 987,136 ----a-w C:\Program Files\dat2.000
2004-12-11 03:45 765,952 ----a-w C:\Program Files\dat1.000
2002-07-24 05:31 9,813 ----a-w C:\Program Files\beta.txt
2002-02-05 04:00 311 ----a-w C:\Program Files\scroll.css
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-14 15:37 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 08:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 18:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 17:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 17:34 249856]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-23 21:11 77824]
"PCDrSmartMonitor"="C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" [2006-05-10 16:44 376832]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-13 22:56 1177368]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-10 09:01 180269]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 12:17 694008]
"DT ACR"="C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe" [2007-09-20 11:03 305664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 03:57 16855552 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-07-20 01:11:16 3450608]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 01:43:08 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-10 09:01 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Q3Ademo\\quake3.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-13 22:57]
R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys [2007-02-09 12:17]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-13 22:56]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 22:56]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-13 22:57]
R3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [2006-05-10 16:26]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2007-02-09 12:17]
S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2007-10-30 12:05]
S3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-04-01 09:16]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 19:29:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-13 19:56:14 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 13:27:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Portrait Displays\Pivot Software\Floater.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
.
**************************************************************************
.
Completion time: 2008-06-13 13:56:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-13 19:56:38

Pre-Run: 33,578,258,432 bytes free
Post-Run: 33,462,538,240 bytes free

315 --- E O F --- 2008-06-06 04:17:13

I then tried to run HiJackThis to get a log, and it was working until it came up with an error message;

"Error Details: An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid Procedure call or argument"

It asks me if I want to report the error (I can't since my PC is offline) and i click no, but I got a report anyway.

Here's that HiJackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:36 PM, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\snake_mearano.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDrSmartMonitor] "C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" -r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8769 bytes

Thank you again.

pskelley
2008-06-14, 00:12
Thanks for returning your information, read and proceed carefully and in the numbered order.

1) C:\Program Files\Java\jre1.6.0_05\ <<< update your Java program, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Windows Defender
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you may leave the hp redirects if you use them)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

(You may get a few slow starts after cleaning Prefetch)
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html


You have some good programs on board, make sure they are all running right.
1) AVG 8: update and run a system scan, let me know about anything it finds and can not handle.

2) Windows Defender: update and run it. let me know if it finds anything it can not fix.

3) Spybot S&D: Update and fully immunize, then scan to see if it finds anything it can not remove.

Once that is done, we need to address the Recovery Console issue before we remove combofix.

Keep me posted...Thanks

snake_mearano
2008-06-14, 08:06
Well I let AVG scan as I went to work and had it shutdown when done, and decided it pertinent enough to check after I got home tonight.
I checked it's history for today's scan and it found one infection, a file named "yayaarpq.dll" It read that it was hiding in the !Killbox folder, but it had moved it to the virus vault. I checked in on it to see that it was still, indeed, there, but had changed it's name to "yayaarpq.dll (1)" and had even spawned another one "Yayaarpq.dll (2)" so I tried to Killbox the first one, but it kept coming back with another numeral added to it's name.

I just tried deleting the entire folder for !Killbox (all it had was one log and the two virus files) and... surprisingly it hasn't come back.

I just deleted KillBox too, to prevent it from remaking another !Killbox folder the next time I run it, just in case it might hide there again.
And to prevent myself from screwing up something horribly.

I'm running Windows Defender right now, got the update for the definitions just before I had to leave, so I'll let it take a crack at it tonight, see how it turns out. Here's hoping. I'll try Spybot tonight too, I'll let you know of my results tomorrow.

Thanks ahead of time.

pskelley
2008-06-14, 15:33
I saw the Killbox: in combofix 2008-06-13 00:44 . 2008-06-13 00:46 <DIR> d-------- C:\!KillBox

and thought about removing it with combofix but was thinking it was being used by you. I should have remembered !KillBox stores what it removes in the folder. That is a good tool for tough files and I use it a lot. You did the correct thing deleting the folder just keep the download link in case you need the tool again.

As soon as resident malware programs report "all is well" then use read and follow these instructions:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks...Phil

snake_mearano
2008-06-15, 10:23
Alrighty! All is Well on the Windows Front!

Got home and scanned with AVG, turned up clean aside from a few minor warnings about registry things, but no infections. I was crossing my fingers too.

Scanned with Spybot and am happy to report that it passed Virtumonde and Virtumonde.dll without so much as a single infection.

Only got through a quick scan with Windows Defender but it didn't show anything either. I'm actually posting from my DISinfected pc! Woo!

Thanks so much for your help! My thanks for all your hard work and knowledge. I'll be much, much more careful in the future, be sure of that.

That makes sense that killbox couldn't killbox a file that it already killboxed. Heh. That also explains why it kept coming back. >< It -is- a good tool, though. I heard about it from a friend when his PC got infected, he had Tech Support Remote his computer and downloaded it to kill the file. He got to watch on his monitor. I read up on the program and decided to keep it holstered until I felt I needed it. I will definitely keep the link handy though.

Okay, I've got the recovery console installed, and I have the TXT for ya:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Not sure what that will tell you, but hey. You said post it, so I did.

I was wondering too if you wanted me to post another HJT log just to be sure... Before we get rid if the holy grail ComboFix?

Anyway, thanks a million, again.

pskelley
2008-06-15, 13:35
I was wondering too if you wanted me to post another HJT log just to be sure... Before we get rid if the holy grail ComboFix?
Sure, but let's look at a MBAM scan along with it. This program looks for rouge junk like the infection you had.

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks

snake_mearano
2008-06-16, 06:41
Okay, I installed and ran the Anti-Malware, and it found one trojan hiding, but it said it was able to remove it.

Here's the log:

Malwarebytes' Anti-Malware 1.17
Database version: 857

12:53:07 PM 15/06/2008
mbam-log-6-15-2008 (12-53-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 134684
Time elapsed: 36 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


And here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:40 PM, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\snake_mearano.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDrSmartMonitor] "C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" -r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7996 bytes

Thanks again.

pskelley
2008-06-16, 15:13
Thanks for returning your information and the feedback. That new HJT log is clean:bigthumb: and MBAM removed a Vundo file we missed. If your computer is running malware free, here is information to help you keep it that way.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

snake_mearano
2008-06-16, 21:00
Thank you so much, I'm in debt for your help! Seriously!
My computer is completely fine again now!
And thank you for the information, I fully intend on reading every link. Thank you again.

I think I'll keep Anti-Malware, seems like the thing to do for future problems.

Thank you again!