hinow
2009-03-03, 01:52
Hello good people at Safer Networking! Can i give you the lowdown on what my problem is/has been before u read my hijack-log? I'm a first timer. Thank you for Spybot, its the only thing i got running that i trust right now. I can't wait to paypal u, but please help more if u can! I'm using my 1st computer got in 04/05. Never a problem ever with viruses till now (09). I think this might have all started because i finally applied myself to trying to listen to all my music that's been on my comp that i have'nt been able to listen to for the last couple years. For 2 years i hadn't been able to listen to any of MY OWN music that i'd ripped to my comp from my own cd's. I think a Microsoft Automatic Update a couple of years ago screwed me somehow (wmp8-9, or 9to10, or 10-11....??) or i allowed it to convert all my stuff to "wma". Anyhow, after years and hundreds of hours of trying i somehow finally was able to convert all my music to "mp3" after stripping "DRM" using FairUse4WM.exe and dBpoweramp to convert to mp3. What a glorious day that was!! However i was warned to turn off MS Update so i don't get screwed again; maybe that's where the problem started. Or maybe i got a virus from some songs that i'd downloaded from Limewire that i'd downloaded to listen to because friggin Microsoft had kept me from listening to my own. Or maybe i picked something up installing/uninstalling programs during the ordeal of trying to find something to help me listen to my music library again. Anyways........
So now i have "problems". The comp seems a little slower. Sometimes when i boot, like every other time, it says, "Warning! The system has recovered from a serious error!" Do you want to report this to Microsoft...etc. etc. "
My Symantec runs once a week as scheduled but i can no longer manually run scans, i get "Could not start scan, Scan engine returned error 0x20000058" I've spent time trying to address this error doing googles searches that say to stop/start various srvcs but that doesnt work. It appears a virus has disable my manual symantec scanning.
I then decided to turn Microsoft update back on, however now i'm unable to do that either. When i try to do the Express or Custom install from Microsoft Update it says "[Error number: 0x800704DD] The website has encountered a problem and cannot display the page you are trying to view." So apparently maybe a virus has disabled my MS updating somehow. I believe, if i recall, that i've tried to follow some google-websearch related help again doing stop/start stuff with 'services', i.e, run: srvces, etc, etc, but again not helping.
So basically now i just run Spybot everyday as my only defense. It appears that symantec may still be working in the background, because every day i got a couple of symantec-pop-up-warnings about virus threats it detected and deleted or quarantined, e.g. here is a log exported from symantic's 'threat history' to excel to here. Hope it comes to you in a good linear format. Your "Before You Post" sticky says not to use the wraparound stuff so i hope its readable. Of these virus threats what caught my eye is that it appears that maybe the virus named kmlpgree.dll - a 'trojan vundo' which i've highlighted in bold and which auto-scan pop'd up hundreds of times for, may not have been removed. Also, all these threats were listed-type as 'file' except for one listed as 'file-heuristics', whatever that means, which i've highlighted in bold. Also, it appears this all may have started about the 10th of February, but i've of course since cleared by IE cache and done disk-cleanup. Also, i note a lot of these threats seem to be in system32 or system volume information \ restore......
One of the main problems i notice now is that everytime i start my computer it says that it can't find an important file called C:\Windows\system32\bxuoydoe.dll I think if i can figure out how to replace this file it may be the clue to getting everything else working again, but i can't find the file on google, etc. I tried doing a system boot using my original XP Pro system disks to see if there was a function for restoring single files like this but nothing that i tried worked. I couldn't get the 'recovery console' to show up in the command line. I also, as it were, apparently deleted all my 'system restore' points automatically by 'turning off system restore' based on some advice somewhere. That may sound bad but i had earlier tried to do a 'system restore' myself to the earliest known good system-restore point and it wouldnt let me anyways so i figure some unscrupulous virus screwed my system restore capability anyways. So that's the history here, "in a nutshell". Below you'll find first the "threat history" from symantec", next the "hijack log", next i was gonna include the 'recovery history' from Spybot but theres no way to copy that to clipboard or export it (u might want to allow that - for future reference) so i'll just have to mention that when i've run spybot, aside from the usual cookie/adware stuff it routinely catches, it seems like it's been catching the 'virtumonde' and/or the 'virtumonde.prx' virus alot. The last one it caught, as of yesturday, was Virtumonde.prx, with this checkbox info: Autorun settings (c468408a3); HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c468408a3 Seems like this might have something to do with the 'bxuoydoe.dll' 'missing entry i noted before. Also, after the hijack log i've included the Spybot System Startup export-file, and i'd note again that same infor having to do with the 'value' c46840a3 and the bxuoydoe.dll seems to be cropping up, which i highlited in bold again. I tried to 'toggle' or check/uncheck some of these last week to see if i could get the 'bxuoydoe.dll' file working again that my computer on startup always says is missing and i'm never quite sure if i should 'allow' or 'deny' change when the Spybot popup asking me to allow/or/deny pops up. Anyhow it seems i may have turned off some other stuff like my printer, adobe, etc. etc. Last i have included the Spybot 'Resident' log for you of recent activity. Anyhow, hope someone there can make sense of this, it would be much appreciated, and i'd much rather donate to spybot then have to take my chances and/or pay for some 'registry editor' or 'dll' fix thingy, etc. etc. Thanks alot, forum name: hinow :red:
SYMANTEC THREAT HISTORY
Date Filename Threat Threat Type Original Location Current Location
3/2/2009 11:20 A0080888.exe W32.Spamuzle.D File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP509\ Deleted
3/2/2009 6:31 azton.mt W32.Spamuzle.D File C:\WINDOWS\system32\ Deleted
3/1/2009 19:00 ypuweg.exe W32.Spamuzle.D File C:\ Deleted
2/28/2009 14:23 eicar.com EICAR Test String File C:\Documents and Settings\first user account\Desktop\ Deleted
2/28/2009 2:44 A0077621.dll Trojan Horse File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Quarantine
2/27/2009 21:11 A0077620.scr Backdoor.Trojan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Deleted
2/27/2009 17:18 A0077619.exe Backdoor.Trojan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Deleted
2/27/2009 0:31 cwxwwgtl.exe Trojan Horse File C:\ Quarantine
2/26/2009 13:13 wrhhchhm.dll Trojan Horse File C:\WINDOWS\system32\ Quarantine
2/26/2009 13:12 nvaux32.dll Trojan Horse File C:\WINDOWS\system32\ Quarantine
2/26/2009 13:11 xccefb090131.scr Backdoor.Trojan File C:\WINDOWS\system32\inf\ Quarantine
2/26/2009 13:09 xccef090131.exe Backdoor.Trojan File C:\WINDOWS\system\ Quarantine
2/26/2009 12:58 A0077570.dll Packed.Generic.200 File; Heuristics C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP503\ Quarantine
2/25/2009 16:23 UACtdiqtkle.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/22/2009 18:59 A0077464.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP499\ Deleted
2/22/2009 17:23 A0077463.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP499\ Deleted
2/21/2009 16:21 isetdz.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/21/2009 16:21 bsbplilq.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/19/2009 14:31 A0076356.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP492\ Deleted
2/19/2009 14:05 A0076355.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP492\ Deleted
2/19/2009 12:34 nwxway.dll Trojan.Vundo File C:\WINDOWS\system32\ Quarantine
2/19/2009 12:33 kjvwmdhg.dll Trojan.Vundo File C:\WINDOWS\system32\ Quarantine
2/19/2009 0:10 A0073286.dll Trojan.Metajuan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 23:10 A0073285.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 22:10 A0073284.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 21:10 A0073283.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 11:34 ytuareun.dll Trojan.Metajuan File C:\WINDOWS\system32\ Deleted
2/18/2009 11:33 UACyqjbtoqx.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/18/2009 11:33 UACivrmpxdo.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/18/2009 11:32 dynopyxl.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/18/2009 11:30 A0070182.dll Trojan.Metajuan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP489\ Deleted
2/17/2009 19:15 PDATTC.DLL Trojan.Metajuan File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 19:08 A0070178.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 18:08 A0070177.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 17:08 A0070174.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 16:08 A0070173.sys Hacktool.Rootkit File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 15:13 UACRFUOYIWQ.DLL Packed.Generic.200 File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 15:07 PEHYEV.DLL Trojan.Vundo File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 15:04 UAColtmxeht.sys Hacktool.Rootkit File C:\WINDOWS\system32\drivers\ Deleted
2/14/2009 14:30 xyephkl.exe Trojan.Dropper File C:\ Deleted
2/14/2009 14:30 bbsuper3[1].htm Trojan.Dropper File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\SA58RJ56\ Deleted
2/14/2009 14:30 dykhyp.exe Trojan Horse File C:\ Quarantine
2/14/2009 14:30 bbsuper2[1].htm Trojan Horse File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\FB2EUXO5\ Quarantine
2/14/2009 14:30 xccdf16_090131a.dll Trojan Horse File C:\WINDOWS\ Quarantine
2/14/2009 14:30 xccdfb16_090131.dll Trojan Horse File C:\WINDOWS\system32\inf\ Quarantine
2/14/2009 14:30 xccdf32_090131a.dll W32.Hitapop File C:\WINDOWS\ Deleted
2/14/2009 14:30 flirxnj.exe Downloader File C:\ Deleted
2/14/2009 14:30 khreff[1].htm Downloader File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\2G3BDBDO\ Deleted
2/14/2009 14:30 flirxnj.exe Downloader File C:\ Deleted
2/14/2009 14:30 khreff[1].htm Downloader File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\FB2EUXO5\ Deleted
2/14/2009 14:29 Mdaxagesagub.dll Trojan Horse File C:\WINDOWS\ Quarantine
2/14/2009 0:56 A0069181.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP487\ Deleted
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/12/2009 12:11 divx20[1] Trojan.Vundo File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\IA2M6OBV\ Quarantine
2/10/2009 2:28 img[1] Trojan.Metajuan File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\6XGSC7XY\ C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\6XGSC7XY\
2/10/2009 2:21 apstpldr.dll[1].htm Trojan.Vundo File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\G24JGBSS\ Deleted
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:00 PM, on 3/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\first user account\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CBTB00001 - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\toolbar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {f7aa622f-04d1-3458-cd04-a17a22863026} - {62036822-a71a-40dc-8543-1d40f226aa7f} - C:\WINDOWS\system32\pehyev.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [c46840a3] rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: GN-WP01GS Utility.lnk.disabled
O4 - Global Startup: HP OfficeJet T Series Startup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: QuickPost - http://www.investorplaceblogs.com/cgi-bin/mt.cgi?__mode=reg_bm_js&bm_height=920&bm_show=t%2Cc%2Cac%2Cap%2Ccb%2Ce%2Cm%2Ck%2Ctg%2Cb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O15 - Trusted Zone: http://video.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: www.ncs.com
O15 - Trusted Zone: www.epenslot04.ic.ncs.com
O15 - Trusted Zone: www.ic.ncs.com
O15 - Trusted Zone: www.ncspearson.com
O15 - Trusted Zone: www.pearson.com
O15 - Trusted Zone: http://www.flexiblescoring-act.pearson.com
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://oxps.webex.com/client/T26L/event/ieatgpc.cab
O20 - AppInit_DLLs: pehyev.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c963b2ee80eec) (gupdate1c963b2ee80eec) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.laetitiacastaonline.com/series0%20maillot/laetitia0003.jpg
O24 - Desktop Component 1: (no name) - http://jobs.uiowa.edu/template/hrHome/graphics/background_tile.gif
O24 - Desktop Component 2: (no name) - http://sthumbnails.match.com/sthumbnails/47/75/35144775A.jpeg
O24 - Desktop Component 3: (no name) - http://sthumbnails.match.com/sthumbnails/74/05/40647405A.jpeg
--
End of file - 8245 bytes
SPYBOT Export File - System Startup
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-02-26 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi
2009-01-22 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-01-06 Includes\Dialer.sbi
2009-01-22 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-02-10 Includes\Hijackers.sbi
2009-02-10 Includes\HijackersC.sbi
2008-12-09 Includes\Keyloggers.sbi
2009-02-17 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-02-24 Includes\Malware.sbi
2009-02-24 Includes\MalwareC.sbi
2008-12-16 Includes\PUPS.sbi
2009-02-24 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-02-10 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-01-28 Includes\Spyware.sbi
2009-01-28 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2009-02-24 Includes\Trojans.sbi
2009-02-24 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Located: HK_LM:Run, c46840a3
command: rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
file: C:\WINDOWS\system32\bxuoydoe.dll size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, c46840a3 (DISABLED)
command: rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
file: C:\WINDOWS\system32\bxuoydoe.dll size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, ccApp (DISABLED)
command: "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: c:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 66680
MD5: 05A76D9DD303DEF4DCC8EE18EE8C58B9
Located: HK_LM:Run, NvCplDaemon (DISABLED)
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 4841472
MD5: 1D04D352F6E82C18D958B873EF3E3215
Located: HK_LM:Run, nwiz (DISABLED)
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 323584
MD5: 5D8D50D90CBF3B5CC32100425545394A
Located: HK_LM:Run, PtiuPbmd (DISABLED)
command: Rundll32.exe ptipbm.dll,SetWriteBack
file: C:\WINDOWS\system32\ptipbm.dll
size: 24576
MD5: A5781BF1DB046648F03D6ED4FEF92796
Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: F34EB5D4F145ED5FE50033CA3A41ED24
Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9C1C80BBF8E6044980890E2D2D91091C
Located: HK_LM:Run, vptray (DISABLED)
command: c:\PROGRA~1\SYMANT~1\VPTray.exe
file: c:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124232
MD5: 46AF9457FF9D22A5832490C546169363
Located: HK_CU:Run, CommCtr
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
file: C:\PROGRA~1\NET2PH~1\CommCtr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, SpybotSD TeaTimer
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: HK_CU:Run, Steam
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Valve\Steam\Steam.exe -silent
file: C:\Valve\Steam\Steam.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, CommCtr (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
file: C:\PROGRA~1\NET2PH~1\CommCtr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, NVIEW (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: rundll32.exe nview.dll,nViewLoadHook
file: C:\WINDOWS\system32\nview.dll
size: 852038
MD5: 50E7B8475B394389D26ED552C772EADB
Located: HK_CU:Run, NvMediaCenter (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
file: C:\WINDOWS\system32\NVMCTRAY.DLL
size: 49152
MD5: E00C45ED7E7B869DC7C13D534BA16938
Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: HK_CU:Run, Steam (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Valve\Steam\Steam.exe -silent
file: C:\Valve\Steam\Steam.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (common), Adobe Reader Speed Launch.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: DFCB9ADE94A4F8A7C42EEF41101A30AD
Located: Startup (common), GN-WP01GS Utility.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
file: C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
size: 720896
MD5: C219B3E34E323214F4FF6FF52A31B82E
Located: Startup (common), HP OfficeJet T Series Startup.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
file: C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
size: 1175552
MD5: F8578193D3F323934AF37189FF50B939
Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy (DISABLED)
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, navlogon (DISABLED)
command: c:\WINDOWS\system32\NavLogon.dll
file: c:\WINDOWS\system32\NavLogon.dll
size: 83272
MD5: 0C08E4D83ED6DDF9DB4D683ADC03AE35
Located: WinLogon, sccertprop (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, senslogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wgalogon (DISABLED)
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
SPYBOT 'RESIDENT' LOG
2/19/2009 8:21:48 AM Allowed (based on lassh blacklist) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
2/19/2009 1:19:12 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/19/2009 4:05:22 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/19/2009 7:55:37 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:50:11 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:52:28 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:52:42 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:58:04 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/20/2009 9:58:20 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") added in System Startup global entry!
2/20/2009 9:58:21 PM Allowed (based on lassh blacklist) value "NvMediaCenter" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:03 PM Denied (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:08 PM Denied (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:09 PM Denied (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:10 PM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "ccApp" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "vptray" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "NvCplDaemon" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "nwiz" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "PtiuPbmd" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Denied (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:33 PM Allowed (based on user decision) value "crypt32chain" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:08 PM Allowed (based on user decision) value "cryptnet" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:10 PM Allowed (based on user decision) value "cscdll" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:11 PM Allowed (based on user decision) value "dimsntfy" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:13 PM Allowed (based on user decision) value "NavLogon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:14 PM Allowed (based on user decision) value "ScCertProp" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:16 PM Allowed (based on user decision) value "Schedule" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:17 PM Allowed (based on user decision) value "sclgntfy" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:18 PM Allowed (based on user decision) value "SensLogn" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:20 PM Allowed (based on user decision) value "termsrv" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:22 PM Allowed (based on user decision) value "WgaLogon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:24 PM Allowed (based on user decision) value "wlballoon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:25 PM Allowed (based on lassh blacklist) value "NVIEW" (new data: "") deleted in System Startup user entry!
2/21/2009 4:08:51 PM Allowed (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/21/2009 4:08:55 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:01 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:07 PM Allowed (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:15 PM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:17 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:29 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:44 PM Allowed (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll"") changed in System Startup global entry!
2/21/2009 4:09:50 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:10:31 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/26/2009 10:09:28 PM Allowed (based on lassh blacklist) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
2/26/2009 10:26:29 PM Allowed (based on user decision) value "CommCtr" (new data: "C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto") added in System Startup user entry!
2/26/2009 10:26:31 PM Allowed (based on user decision) value "Steam" (new data: "C:\Valve\Steam\Steam.exe -silent") added in System Startup user entry!
2/26/2009 10:26:32 PM Allowed (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b") changed in System Startup global entry!
2/27/2009 1:42:35 AM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/27/2009 1:45:27 AM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:31 AM Denied (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:37 AM Denied (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:38 AM Denied (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/27/2009 1:46:13 AM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/1/2009 11:05:52 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/1/2009 11:09:22 PM Denied (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll"") changed in System Startup global entry!
3/1/2009 11:54:53 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/2/2009 5:37:07 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
So now i have "problems". The comp seems a little slower. Sometimes when i boot, like every other time, it says, "Warning! The system has recovered from a serious error!" Do you want to report this to Microsoft...etc. etc. "
My Symantec runs once a week as scheduled but i can no longer manually run scans, i get "Could not start scan, Scan engine returned error 0x20000058" I've spent time trying to address this error doing googles searches that say to stop/start various srvcs but that doesnt work. It appears a virus has disable my manual symantec scanning.
I then decided to turn Microsoft update back on, however now i'm unable to do that either. When i try to do the Express or Custom install from Microsoft Update it says "[Error number: 0x800704DD] The website has encountered a problem and cannot display the page you are trying to view." So apparently maybe a virus has disabled my MS updating somehow. I believe, if i recall, that i've tried to follow some google-websearch related help again doing stop/start stuff with 'services', i.e, run: srvces, etc, etc, but again not helping.
So basically now i just run Spybot everyday as my only defense. It appears that symantec may still be working in the background, because every day i got a couple of symantec-pop-up-warnings about virus threats it detected and deleted or quarantined, e.g. here is a log exported from symantic's 'threat history' to excel to here. Hope it comes to you in a good linear format. Your "Before You Post" sticky says not to use the wraparound stuff so i hope its readable. Of these virus threats what caught my eye is that it appears that maybe the virus named kmlpgree.dll - a 'trojan vundo' which i've highlighted in bold and which auto-scan pop'd up hundreds of times for, may not have been removed. Also, all these threats were listed-type as 'file' except for one listed as 'file-heuristics', whatever that means, which i've highlighted in bold. Also, it appears this all may have started about the 10th of February, but i've of course since cleared by IE cache and done disk-cleanup. Also, i note a lot of these threats seem to be in system32 or system volume information \ restore......
One of the main problems i notice now is that everytime i start my computer it says that it can't find an important file called C:\Windows\system32\bxuoydoe.dll I think if i can figure out how to replace this file it may be the clue to getting everything else working again, but i can't find the file on google, etc. I tried doing a system boot using my original XP Pro system disks to see if there was a function for restoring single files like this but nothing that i tried worked. I couldn't get the 'recovery console' to show up in the command line. I also, as it were, apparently deleted all my 'system restore' points automatically by 'turning off system restore' based on some advice somewhere. That may sound bad but i had earlier tried to do a 'system restore' myself to the earliest known good system-restore point and it wouldnt let me anyways so i figure some unscrupulous virus screwed my system restore capability anyways. So that's the history here, "in a nutshell". Below you'll find first the "threat history" from symantec", next the "hijack log", next i was gonna include the 'recovery history' from Spybot but theres no way to copy that to clipboard or export it (u might want to allow that - for future reference) so i'll just have to mention that when i've run spybot, aside from the usual cookie/adware stuff it routinely catches, it seems like it's been catching the 'virtumonde' and/or the 'virtumonde.prx' virus alot. The last one it caught, as of yesturday, was Virtumonde.prx, with this checkbox info: Autorun settings (c468408a3); HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c468408a3 Seems like this might have something to do with the 'bxuoydoe.dll' 'missing entry i noted before. Also, after the hijack log i've included the Spybot System Startup export-file, and i'd note again that same infor having to do with the 'value' c46840a3 and the bxuoydoe.dll seems to be cropping up, which i highlited in bold again. I tried to 'toggle' or check/uncheck some of these last week to see if i could get the 'bxuoydoe.dll' file working again that my computer on startup always says is missing and i'm never quite sure if i should 'allow' or 'deny' change when the Spybot popup asking me to allow/or/deny pops up. Anyhow it seems i may have turned off some other stuff like my printer, adobe, etc. etc. Last i have included the Spybot 'Resident' log for you of recent activity. Anyhow, hope someone there can make sense of this, it would be much appreciated, and i'd much rather donate to spybot then have to take my chances and/or pay for some 'registry editor' or 'dll' fix thingy, etc. etc. Thanks alot, forum name: hinow :red:
SYMANTEC THREAT HISTORY
Date Filename Threat Threat Type Original Location Current Location
3/2/2009 11:20 A0080888.exe W32.Spamuzle.D File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP509\ Deleted
3/2/2009 6:31 azton.mt W32.Spamuzle.D File C:\WINDOWS\system32\ Deleted
3/1/2009 19:00 ypuweg.exe W32.Spamuzle.D File C:\ Deleted
2/28/2009 14:23 eicar.com EICAR Test String File C:\Documents and Settings\first user account\Desktop\ Deleted
2/28/2009 2:44 A0077621.dll Trojan Horse File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Quarantine
2/27/2009 21:11 A0077620.scr Backdoor.Trojan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Deleted
2/27/2009 17:18 A0077619.exe Backdoor.Trojan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Deleted
2/27/2009 0:31 cwxwwgtl.exe Trojan Horse File C:\ Quarantine
2/26/2009 13:13 wrhhchhm.dll Trojan Horse File C:\WINDOWS\system32\ Quarantine
2/26/2009 13:12 nvaux32.dll Trojan Horse File C:\WINDOWS\system32\ Quarantine
2/26/2009 13:11 xccefb090131.scr Backdoor.Trojan File C:\WINDOWS\system32\inf\ Quarantine
2/26/2009 13:09 xccef090131.exe Backdoor.Trojan File C:\WINDOWS\system\ Quarantine
2/26/2009 12:58 A0077570.dll Packed.Generic.200 File; Heuristics C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP503\ Quarantine
2/25/2009 16:23 UACtdiqtkle.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/22/2009 18:59 A0077464.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP499\ Deleted
2/22/2009 17:23 A0077463.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP499\ Deleted
2/21/2009 16:21 isetdz.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/21/2009 16:21 bsbplilq.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/19/2009 14:31 A0076356.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP492\ Deleted
2/19/2009 14:05 A0076355.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP492\ Deleted
2/19/2009 12:34 nwxway.dll Trojan.Vundo File C:\WINDOWS\system32\ Quarantine
2/19/2009 12:33 kjvwmdhg.dll Trojan.Vundo File C:\WINDOWS\system32\ Quarantine
2/19/2009 0:10 A0073286.dll Trojan.Metajuan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 23:10 A0073285.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 22:10 A0073284.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 21:10 A0073283.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 11:34 ytuareun.dll Trojan.Metajuan File C:\WINDOWS\system32\ Deleted
2/18/2009 11:33 UACyqjbtoqx.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/18/2009 11:33 UACivrmpxdo.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/18/2009 11:32 dynopyxl.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/18/2009 11:30 A0070182.dll Trojan.Metajuan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP489\ Deleted
2/17/2009 19:15 PDATTC.DLL Trojan.Metajuan File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 19:08 A0070178.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 18:08 A0070177.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 17:08 A0070174.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 16:08 A0070173.sys Hacktool.Rootkit File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 15:13 UACRFUOYIWQ.DLL Packed.Generic.200 File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 15:07 PEHYEV.DLL Trojan.Vundo File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 15:04 UAColtmxeht.sys Hacktool.Rootkit File C:\WINDOWS\system32\drivers\ Deleted
2/14/2009 14:30 xyephkl.exe Trojan.Dropper File C:\ Deleted
2/14/2009 14:30 bbsuper3[1].htm Trojan.Dropper File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\SA58RJ56\ Deleted
2/14/2009 14:30 dykhyp.exe Trojan Horse File C:\ Quarantine
2/14/2009 14:30 bbsuper2[1].htm Trojan Horse File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\FB2EUXO5\ Quarantine
2/14/2009 14:30 xccdf16_090131a.dll Trojan Horse File C:\WINDOWS\ Quarantine
2/14/2009 14:30 xccdfb16_090131.dll Trojan Horse File C:\WINDOWS\system32\inf\ Quarantine
2/14/2009 14:30 xccdf32_090131a.dll W32.Hitapop File C:\WINDOWS\ Deleted
2/14/2009 14:30 flirxnj.exe Downloader File C:\ Deleted
2/14/2009 14:30 khreff[1].htm Downloader File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\2G3BDBDO\ Deleted
2/14/2009 14:30 flirxnj.exe Downloader File C:\ Deleted
2/14/2009 14:30 khreff[1].htm Downloader File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\FB2EUXO5\ Deleted
2/14/2009 14:29 Mdaxagesagub.dll Trojan Horse File C:\WINDOWS\ Quarantine
2/14/2009 0:56 A0069181.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP487\ Deleted
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/12/2009 12:11 divx20[1] Trojan.Vundo File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\IA2M6OBV\ Quarantine
2/10/2009 2:28 img[1] Trojan.Metajuan File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\6XGSC7XY\ C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\6XGSC7XY\
2/10/2009 2:21 apstpldr.dll[1].htm Trojan.Vundo File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\G24JGBSS\ Deleted
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:00 PM, on 3/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\first user account\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CBTB00001 - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\toolbar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {f7aa622f-04d1-3458-cd04-a17a22863026} - {62036822-a71a-40dc-8543-1d40f226aa7f} - C:\WINDOWS\system32\pehyev.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [c46840a3] rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: GN-WP01GS Utility.lnk.disabled
O4 - Global Startup: HP OfficeJet T Series Startup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: QuickPost - http://www.investorplaceblogs.com/cgi-bin/mt.cgi?__mode=reg_bm_js&bm_height=920&bm_show=t%2Cc%2Cac%2Cap%2Ccb%2Ce%2Cm%2Ck%2Ctg%2Cb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O15 - Trusted Zone: http://video.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: www.ncs.com
O15 - Trusted Zone: www.epenslot04.ic.ncs.com
O15 - Trusted Zone: www.ic.ncs.com
O15 - Trusted Zone: www.ncspearson.com
O15 - Trusted Zone: www.pearson.com
O15 - Trusted Zone: http://www.flexiblescoring-act.pearson.com
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://oxps.webex.com/client/T26L/event/ieatgpc.cab
O20 - AppInit_DLLs: pehyev.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c963b2ee80eec) (gupdate1c963b2ee80eec) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.laetitiacastaonline.com/series0%20maillot/laetitia0003.jpg
O24 - Desktop Component 1: (no name) - http://jobs.uiowa.edu/template/hrHome/graphics/background_tile.gif
O24 - Desktop Component 2: (no name) - http://sthumbnails.match.com/sthumbnails/47/75/35144775A.jpeg
O24 - Desktop Component 3: (no name) - http://sthumbnails.match.com/sthumbnails/74/05/40647405A.jpeg
--
End of file - 8245 bytes
SPYBOT Export File - System Startup
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-02-26 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi
2009-01-22 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-01-06 Includes\Dialer.sbi
2009-01-22 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-02-10 Includes\Hijackers.sbi
2009-02-10 Includes\HijackersC.sbi
2008-12-09 Includes\Keyloggers.sbi
2009-02-17 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-02-24 Includes\Malware.sbi
2009-02-24 Includes\MalwareC.sbi
2008-12-16 Includes\PUPS.sbi
2009-02-24 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-02-10 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-01-28 Includes\Spyware.sbi
2009-01-28 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2009-02-24 Includes\Trojans.sbi
2009-02-24 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Located: HK_LM:Run, c46840a3
command: rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
file: C:\WINDOWS\system32\bxuoydoe.dll size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, c46840a3 (DISABLED)
command: rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
file: C:\WINDOWS\system32\bxuoydoe.dll size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, ccApp (DISABLED)
command: "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: c:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 66680
MD5: 05A76D9DD303DEF4DCC8EE18EE8C58B9
Located: HK_LM:Run, NvCplDaemon (DISABLED)
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 4841472
MD5: 1D04D352F6E82C18D958B873EF3E3215
Located: HK_LM:Run, nwiz (DISABLED)
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 323584
MD5: 5D8D50D90CBF3B5CC32100425545394A
Located: HK_LM:Run, PtiuPbmd (DISABLED)
command: Rundll32.exe ptipbm.dll,SetWriteBack
file: C:\WINDOWS\system32\ptipbm.dll
size: 24576
MD5: A5781BF1DB046648F03D6ED4FEF92796
Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: F34EB5D4F145ED5FE50033CA3A41ED24
Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9C1C80BBF8E6044980890E2D2D91091C
Located: HK_LM:Run, vptray (DISABLED)
command: c:\PROGRA~1\SYMANT~1\VPTray.exe
file: c:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124232
MD5: 46AF9457FF9D22A5832490C546169363
Located: HK_CU:Run, CommCtr
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
file: C:\PROGRA~1\NET2PH~1\CommCtr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, SpybotSD TeaTimer
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: HK_CU:Run, Steam
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Valve\Steam\Steam.exe -silent
file: C:\Valve\Steam\Steam.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, CommCtr (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
file: C:\PROGRA~1\NET2PH~1\CommCtr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, NVIEW (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: rundll32.exe nview.dll,nViewLoadHook
file: C:\WINDOWS\system32\nview.dll
size: 852038
MD5: 50E7B8475B394389D26ED552C772EADB
Located: HK_CU:Run, NvMediaCenter (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
file: C:\WINDOWS\system32\NVMCTRAY.DLL
size: 49152
MD5: E00C45ED7E7B869DC7C13D534BA16938
Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: HK_CU:Run, Steam (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Valve\Steam\Steam.exe -silent
file: C:\Valve\Steam\Steam.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (common), Adobe Reader Speed Launch.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: DFCB9ADE94A4F8A7C42EEF41101A30AD
Located: Startup (common), GN-WP01GS Utility.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
file: C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
size: 720896
MD5: C219B3E34E323214F4FF6FF52A31B82E
Located: Startup (common), HP OfficeJet T Series Startup.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
file: C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
size: 1175552
MD5: F8578193D3F323934AF37189FF50B939
Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy (DISABLED)
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, navlogon (DISABLED)
command: c:\WINDOWS\system32\NavLogon.dll
file: c:\WINDOWS\system32\NavLogon.dll
size: 83272
MD5: 0C08E4D83ED6DDF9DB4D683ADC03AE35
Located: WinLogon, sccertprop (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, senslogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wgalogon (DISABLED)
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
SPYBOT 'RESIDENT' LOG
2/19/2009 8:21:48 AM Allowed (based on lassh blacklist) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
2/19/2009 1:19:12 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/19/2009 4:05:22 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/19/2009 7:55:37 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:50:11 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:52:28 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:52:42 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:58:04 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/20/2009 9:58:20 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") added in System Startup global entry!
2/20/2009 9:58:21 PM Allowed (based on lassh blacklist) value "NvMediaCenter" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:03 PM Denied (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:08 PM Denied (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:09 PM Denied (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:10 PM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "ccApp" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "vptray" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "NvCplDaemon" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "nwiz" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "PtiuPbmd" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Denied (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:33 PM Allowed (based on user decision) value "crypt32chain" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:08 PM Allowed (based on user decision) value "cryptnet" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:10 PM Allowed (based on user decision) value "cscdll" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:11 PM Allowed (based on user decision) value "dimsntfy" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:13 PM Allowed (based on user decision) value "NavLogon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:14 PM Allowed (based on user decision) value "ScCertProp" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:16 PM Allowed (based on user decision) value "Schedule" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:17 PM Allowed (based on user decision) value "sclgntfy" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:18 PM Allowed (based on user decision) value "SensLogn" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:20 PM Allowed (based on user decision) value "termsrv" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:22 PM Allowed (based on user decision) value "WgaLogon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:24 PM Allowed (based on user decision) value "wlballoon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:25 PM Allowed (based on lassh blacklist) value "NVIEW" (new data: "") deleted in System Startup user entry!
2/21/2009 4:08:51 PM Allowed (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/21/2009 4:08:55 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:01 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:07 PM Allowed (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:15 PM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:17 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:29 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:44 PM Allowed (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll"") changed in System Startup global entry!
2/21/2009 4:09:50 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:10:31 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/26/2009 10:09:28 PM Allowed (based on lassh blacklist) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
2/26/2009 10:26:29 PM Allowed (based on user decision) value "CommCtr" (new data: "C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto") added in System Startup user entry!
2/26/2009 10:26:31 PM Allowed (based on user decision) value "Steam" (new data: "C:\Valve\Steam\Steam.exe -silent") added in System Startup user entry!
2/26/2009 10:26:32 PM Allowed (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b") changed in System Startup global entry!
2/27/2009 1:42:35 AM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/27/2009 1:45:27 AM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:31 AM Denied (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:37 AM Denied (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:38 AM Denied (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/27/2009 1:46:13 AM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/1/2009 11:05:52 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/1/2009 11:09:22 PM Denied (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll"") changed in System Startup global entry!
3/1/2009 11:54:53 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/2/2009 5:37:07 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!