Still lot of Virus after running VundoFix: what to do?

**Taliu** · 2007-11-27, 01:42

Hi,
I'm still facing with virus on my pc after having trouble with Vundo. I run the KasperSky (see below) after running: Spybot, Ad-Aware and Avast Antivir in safe mode. Still virus are found with kaspersky. Please let me know if I should post the HJT report (and if you need also VundoFix report) now they don't fit in this message.

What to do?
Many thanks guys.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 12:51:09 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 466028
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 75558
Number of viruses found: 11
Number of infected objects: 22
Number of suspicious objects: 12
Duration of the scan process: 01:08:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\catchme.zip/__c00BB8C7.dat Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\37a36f2f395015c1556fff354afd5269_de00fb8d-12cd-4aca-8819-357997cb3c8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\635aaf80b9517a57d468aaabea60e907_de00fb8d-12cd-4aca-8819-357997cb3c8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76c60f9cf8177345bbf4c7baa962d05b_de00fb8d-12cd-4aca-8819-357997cb3c8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7e30413fc114da5c9e6806d7fc787e8_de00fb8d-12cd-4aca-8819-357997cb3c8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ee883d4de8c5b4dbd06a1cebb94e359d_de00fb8d-12cd-4aca-8819-357997cb3c8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-09202007-233740.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\atjxjkhp.exe.vir.bac_a01956 Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache43567.tmp.bac_a01956/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache43567.tmp.bac_a01956/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache43567.tmp.bac_a01956 ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache43567.tmp.bac_a01956 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\poiu[1].bac_a01956 Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Owner\Application Data\Babylon\log_file.txt Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From <gianof@free.panservice.it>][Date Tue, 13 Jan 2004 11:21:13 +0100 (CET)]/UNNAMED/painfulness.com Infected: Email-Worm.Win32.Sober.c.dat skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From <gianof@free.panservice.it>][Date Tue, 13 Jan 2004 11:21:13 +0100 (CET)]/UNNAMED Infected: Email-Worm.Win32.Sober.c.dat skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From "Mail Delivery System" <MAILER-DAEMON@smtp2-in.panservice.it>][Date Mon, 7 Jun 2004 18:04:43 +0200 (CEST)]/UNNAMED/UNNAMED/[From "Gcoletti" <gcoletti@free.panservice.it>][Date Mon, 07 Jun 2004 18:12:30 +0100]/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From "Mail Delivery System" <MAILER-DAEMON@smtp2-in.panservice.it>][Date Mon, 7 Jun 2004 18:04:43 +0200 (CEST)]/UNNAMED/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From "Mail Delivery System" <MAILER-DAEMON@smtp2-in.panservice.it>][Date Mon, 7 Jun 2004 18:04:43 +0200 (CEST)]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From <3Dtriverio@tiscalinet.it>][Date Mon, 07 Jun 2004 18:12:25 +0100]/UNNAMED/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From <3Dtriverio@tiscalinet.it>][Date Mon, 07 Jun 2004 18:12:25 +0100]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From "Gersono.b" <gersono.b@zipmail.com.br>][Date Mon, 24 May 2004 16:47:46 -0400]/UNNAMED/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From "Gersono.b" <gersono.b@zipmail.com.br>][Date Mon, 24 May 2004 16:47:46 -0400]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From "Gersono.b" <gersono.b@zipmail.com.br>][Date Wed, 19 May 2004 18:09:52 -0400]/UNNAMED/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From "Gersono.b" <gersono.b@zipmail.com.br>][Date Wed, 19 May 2004 18:09:52 -0400]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From <fontedasenhora@mail.pt>][Date Wed, 28 Apr 2004 18:46:51 +0200]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From <fontedasenhora@mail.pt>][Date Wed, 28 Apr 2004 18:46:51 +0200]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx/[From <fontedasenhora@mail.pt>][Date Wed, 28 Apr 2004 18:46:51 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Posta in arrivo 2004.dbx Mail MS Outlook 5: infected - 2, suspicious - 12 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Wind.dbx/[From "Citizens Bank" <antifraud.ref.num63@citizensbank.com>][Date Wed, 22 Sep 2004 05:36:40 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.ai skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Wind.dbx/[From "Citizens Bank" <antifraud.ref.num63@citizensbank.com>][Date Wed, 22 Sep 2004 05:36:40 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.ai skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Wind.dbx/[From "SunTrust" <support@suntrust.com>][Date Sun, 14 Nov 2004 16:00:05 +0600]/html Infected: Trojan-Spy.HTML.Sunfraud.aj skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5B3284C6-24DC-4BF4-A384-9575A1DCD45A}\Microsoft\Outlook Express\Wind.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007112620071127\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\Perflib_Perfdata_24c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\Perflib_Perfdata_fd4.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DF4DEC.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Feed Downloaded\Radio 24 Il Sole 24 ore\focus-economia.mp3.partial Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Feed Downloaded\Radio 24 Il Sole 24 ore\salvadanaio.mp3.partial Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\FreePOPs\log.txt Object is locked skipped
C:\Program Files\FreePOPs\stderr.txt Object is locked skipped
C:\Program Files\FreePOPs\stdout.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iifddcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arf skipped
C:\WINDOWS\system32\jhhnphvh.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\lkpycgpx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\lydattvh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\ssqoolm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arf skipped
C:\WINDOWS\system32\taigahmm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\vhuqeseh.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_378.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

**Simon V.** · 2007-11-27, 17:14

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Looking at the Kasperksy scan, you seem to have a few infected e-mails. Please delete these e-mails, in Outlook Express:

1. From: (gianof@free.panservice.it), Date: Tue, 13 Jan 2004 11:21:13 +0100 (CET)
2. From: "Mail Delivery System" (MAILER-DAEMON@smtp2-in.panservice.it), Date: Mon, 7 Jun 2004 18:04:43 +0200 (CEST)
3. From: (3Dtriverio@tiscalinet.it), Date: Mon, 07 Jun 2004 18:12:25 +0100
4. From: "Gersono.b" (gersono.b@zipmail.com.br), Date: Mon, 24 May 2004 16:47:46 -0400
5. From: (fontedasenhora@mail.pt), Date: Wed, 28 Apr 2004 18:46:51 +0200
6. From: Citizens Bank (antifraud.ref.num63@citizensbank.com), Date: Wed, 22 Sep 2004 05:36:40 -0400
7. From: "SunTrust" (support@suntrust.com), Date: Sun, 14 Nov 2004 16:00:05 +0600

In your next reply, please post the HijackThis log, along with the Vundofix log and we'll start getting Vundo off of your machine.

**Taliu** · 2007-11-27, 19:45

Hello Simon V.,
thanks for helping me!

I removed the infected emails.

Here the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:21:53, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\ASUS\AI Remote\AiRc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shelltoys\Personal Assistant\assistant.exe
C:\Program Files\ASUS\AI Remote\AiRemote.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ASUS\ScreenDUO\AsG_Manager.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\FreePOPs\freepopsservice.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\LaunchApplication\AsG_LaunchApplication.exe
C:\Program Files\Asus\ScreenDuo\Gadgets\RSS\ASG_RSS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\HardwareMonitoring\AsG_HardwareMonitor.exe
C:\Program Files\Asus\ScreenDuo\Gadgets\MediaPlayer\ASG_MpCtrl.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\EventViewer\AsG_EventViewer.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\Note\AsG_Note.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Asus\ScreenDuo\Gadgets\PhotoFrame\ASG_Photoframe.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Asus\ScreenDUO\Gadgets\PhotoSlideShow\ASG_SlideShow.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\Asus\ScreenDUO\Gadgets\Time\AsG_Time.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\VolumeControl\AsG_VolumeControl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {b3135438-a155-73ab-4034-a584007110d1} - {1d011700-485a-4304-ba37-551a8345313b} - C:\WINDOWS\system32\grnwrdso.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS ASAP USB] C:\Program Files\ASUS\ASAP\asapusb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ai Remote Help] "C:\Program Files\ASUS\AI Remote\AiRc.exe" -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Personal Assistant] C:\Program Files\Shelltoys\Personal Assistant\assistant.exe
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Allway Sync] "C:\Program Files\Allway Sync\Bin\syncappw.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: ScreenDUO.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E7190B-3F58-4BDF-B820-090F0C65835D}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FreePOPs - Unknown owner - C:\Program Files\FreePOPs\freepopsservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 9533 bytes

and the VundoFix log:

VundoFix V6.6.2

Checking Java version...

Scan started at 17:22:09 26/11/2007

Listing files found while scanning....

C:\windows\system32\drvlatr.dll
C:\windows\system32\myhvcecw.dll
C:\windows\system32\pblwpwln.dllbox
C:\windows\system32\plnfmumd.dll
C:\windows\system32\sprmvyab.dll
C:\windows\system32\sprmvyab.dllbox

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 17:39:58 26/11/2007

Listing files found while scanning....

C:\windows\system32\__c00BB8C7.dat
C:\windows\system32\drvlatr.dll
C:\windows\system32\myhvcecw.dll
C:\windows\system32\pblwpwln.dllbox
C:\windows\system32\plnfmumd.dll
C:\WINDOWS\system32\sprmvyab.dll
C:\windows\system32\sprmvyab.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\__c00BB8C7.dat
C:\windows\system32\__c00BB8C7.dat Could not be deleted.

Attempting to delete C:\windows\system32\drvlatr.dll
C:\windows\system32\drvlatr.dll Has been deleted!

Attempting to delete C:\windows\system32\myhvcecw.dll
C:\windows\system32\myhvcecw.dll Has been deleted!

Attempting to delete C:\windows\system32\pblwpwln.dllbox
C:\windows\system32\pblwpwln.dllbox Has been deleted!

Attempting to delete C:\windows\system32\plnfmumd.dll
C:\windows\system32\plnfmumd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sprmvyab.dll
C:\WINDOWS\system32\sprmvyab.dll Could not be deleted.

Attempting to delete C:\windows\system32\sprmvyab.dllbox
C:\windows\system32\sprmvyab.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 17:48:25 26/11/2007

Listing files found while scanning....

C:\windows\system32\popqftlu.dll
C:\WINDOWS\system32\sprmvyab.dll
C:\windows\system32\sprmvyab.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\popqftlu.dll
C:\windows\system32\popqftlu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sprmvyab.dll
C:\WINDOWS\system32\sprmvyab.dll Has been deleted!

Attempting to delete C:\windows\system32\sprmvyab.dllbox
C:\windows\system32\sprmvyab.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

What to do now?

Thanks!

**Simon V.** · 2007-11-27, 19:53

Hi

From your log, it seems you've run Combofix too. Can you post the log it has created please? It's located here: C:\Combofix.txt

**Taliu** · 2007-11-27, 20:04

Hi

,
Yes I made a mess

. I run Combofix and also Combofix /u. But I cannot find the report (maybe because I run in safe mode?).

Bye.

**Simon V.** · 2007-11-27, 20:14

Hi

Have you been running other programs to clean the malware on your computer? If so, I'd like to know.

You'll have to download Combofix again. Please do the following:

Step 1

Please download Combofix:

Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Note: Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, press Ctrl, Alt and Del at the same time and, under the Processes tab, end any processes of findstr, find, sed or swreg, then Combofix should continue. If that happened I'd like to know and what process you had to end.

Step 2

Please download and install CCleaner.

Open CCleaner. In the Left Pane, click Tools.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save.
Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

Step 3

In your next reply, please post:

whether you ran other programs to clean the malware on your computer
the Combofix log (C:\Combofix.txt)
the CCleaner Uninstall List (install.txt)
a new HijackThis log

**Taliu** · 2007-11-27, 20:31

I run also Trend Micro which didn't find anything but some cookie.

Here Combofix

ComboFix 07-11-19.4 - Owner 2007-11-27 20:21:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1324 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 01:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-21 21:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-21 21:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-21 21:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-21 21:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-21 21:03 714,309 --a------ C:\WINDOWS\system32\xpgcypkl.ini
2007-11-21 21:02 85,056 --a------ C:\WINDOWS\system32\lkpycgpx.dll
2007-11-21 20:59 80,960 --a------ C:\WINDOWS\system32\grnwrdso.dll
2007-11-21 20:54 71,232 --a------ C:\WINDOWS\system32\vhuqeseh.exe
2007-11-21 20:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-21 20:13 80,960 --a------ C:\WINDOWS\system32\cjlvjoab.dll
2007-11-21 20:11 714,281 --a------ C:\WINDOWS\system32\mmhagiat.ini
2007-11-21 20:10 85,056 --a------ C:\WINDOWS\system32\taigahmm.dll
2007-11-21 08:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-21 08:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-20 23:49 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-11-20 23:49 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-11-20 23:49 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-11-20 23:49 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-11-20 23:49 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-11-20 23:48 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-11-20 23:48 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-11-20 23:48 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-11-20 23:48 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-11-20 23:48 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-11-20 23:48 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-11-20 23:47 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-11-20 23:46 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-11-20 23:45 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-11-20 23:44 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-11-20 23:43 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-11-20 23:42 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2007-11-20 23:41 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-11-20 23:39 210,496 --a--c--- C:\WINDOWS\system32\dllcache\s3mvirge.dll
2007-11-20 23:39 182,272 --a--c--- C:\WINDOWS\system32\dllcache\s3mt3d.dll
2007-11-20 23:39 179,264 --a--c--- C:\WINDOWS\system32\dllcache\s3sav3d.dll
2007-11-20 23:39 166,720 --a--c--- C:\WINDOWS\system32\dllcache\s3m.sys
2007-11-20 23:39 86,097 --a--c--- C:\WINDOWS\system32\dllcache\reslog32.dll
2007-11-20 23:39 65,664 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.sys
2007-11-20 23:39 62,496 --a--c--- C:\WINDOWS\system32\dllcache\s3mtrio.dll
2007-11-20 23:39 61,504 --a--c--- C:\WINDOWS\system32\dllcache\s3sav3dm.sys
2007-11-20 23:39 41,216 --a--c--- C:\WINDOWS\system32\dllcache\s3mt3d.sys
2007-11-20 23:38 17,664 --a--c--- C:\WINDOWS\system32\dllcache\ppa3.sys
2007-11-20 23:37 30,495 --a--c--- C:\WINDOWS\system32\dllcache\pc100nds.sys
2007-11-20 23:36 180,360 --a--c--- C:\WINDOWS\system32\dllcache\ntmtlfax.sys
2007-11-20 23:35 128,000 --a--c--- C:\WINDOWS\system32\dllcache\n100325.sys
2007-11-20 23:34 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2007-11-20 23:33 7,424 --a--c--- C:\WINDOWS\system32\dllcache\mammoth.sys
2007-11-20 23:32 45,568 --a--c--- C:\WINDOWS\system32\dllcache\kdsui.dll
2007-11-20 23:31 16,000 --a--c--- C:\WINDOWS\system32\dllcache\ini910u.sys
2007-11-20 23:30 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2007-11-20 23:30 685,056 --a--c--- C:\WINDOWS\system32\dllcache\hsfcxts2.sys
2007-11-20 23:30 32,285 --a--c--- C:\WINDOWS\system32\dllcache\hsfcisp2.dll
2007-11-20 23:30 8,192 --a--c--- C:\WINDOWS\system32\dllcache\i2omgmt.sys
2007-11-20 23:29 101,376 --a--c--- C:\WINDOWS\system32\dllcache\hpgt34.dll
2007-11-20 23:28 444,416 --a--c--- C:\WINDOWS\system32\dllcache\fpcibase.sys
2007-11-20 23:27 18,503 --a--c--- C:\WINDOWS\system32\dllcache\epro4.sys
2007-11-20 23:26 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2007-11-20 23:25 80,896 --a--c--- C:\WINDOWS\system32\dllcache\dc210usd.dll
2007-11-20 23:24 91,264 --a--c--- C:\WINDOWS\system32\dllcache\cirrus.dll
2007-11-20 23:23 164,923 --a--c--- C:\WINDOWS\system32\dllcache\diapi2.sys
2007-11-20 23:23 32,256 --a--c--- C:\WINDOWS\system32\dllcache\diapi2NT.dll
2007-11-20 23:23 5,120 --a--c--- C:\WINDOWS\system32\dllcache\brscnrsm.dll
2007-11-20 23:22 13,824 --a--c--- C:\WINDOWS\system32\dllcache\atinmdxx.sys
2007-11-20 23:21 46,112 --a--c--- C:\WINDOWS\system32\dllcache\adptsf50.sys
2007-11-20 23:19 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-11-20 20:11 84,544 --a------ C:\WINDOWS\system32\bjajpkls.dll
2007-11-20 20:08 689,163 --a------ C:\WINDOWS\system32\hvttadyl.ini
2007-11-20 20:08 85,056 --a------ C:\WINDOWS\system32\lydattvh.dll
2007-11-20 19:52 71,232 --a------ C:\WINDOWS\system32\jhhnphvh.exe
2007-11-19 22:47 <DIR> d-------- C:\Program Files\VID_0E8F&PID_1009
2007-11-19 22:26 <DIR> d-------- C:\Program Files\Ukrjzrly
2007-11-19 22:26 <DIR> d-------- C:\Program Files\jyrmrmpi
2007-11-19 22:25 36,352 --a------ C:\WINDOWS\system32\iifddcy.dll
2007-11-19 22:24 36,352 --a------ C:\WINDOWS\system32\ssqoolm.dll
2007-11-19 21:45 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-11-19 21:42 <DIR> d-------- C:\Program Files\id Software
2007-11-18 18:10 <DIR> d-------- C:\Program Files\CODE Multimedia
2007-11-17 10:37 <DIR> d-------- C:\Program Files\Juice
2007-11-17 00:33 372 --a------ C:\Documents and Settings\Owner\Application Data\AsAlbum.dat
2007-11-13 00:37 <DIR> d-------- C:\Program Files\QuickTime
2007-11-11 14:44 <DIR> d-------- C:\Program Files\Allway Sync
2007-11-11 14:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sync App Settings
2007-11-11 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sync App Settings
2007-11-11 12:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-11 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-11 12:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iPodder
2007-11-10 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nokia Multimedia Player
2007-11-10 21:09 <DIR> d-------- C:\Program Files\IVT Corporation
2007-11-10 20:44 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-10 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2007-11-10 01:05 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-10 00:30 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-11-10 00:30 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-10 00:27 <DIR> d-------- C:\Program Files\Nokia
2007-11-10 00:27 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-11-09 23:50 <DIR> d-------- C:\Documents and Settings\Owner\Phone Browser
2007-11-09 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-09 22:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nokia
2007-11-09 22:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2007-11-21 21:25 --------- d-----w C:\Program Files\Windows Defender
2007-11-21 21:20 --------- d-----w C:\Program Files\FreePOPs
2007-11-21 21:18 --------- d-----w C:\Program Files\AC3Filter
2007-11-21 20:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-11-21 07:59 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-20 20:21 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-11-19 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 21:42 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-19 07:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-11-15 16:37 --------- d-----w C:\Program Files\eMule
2007-11-10 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-11-09 21:45 --------- d-----w C:\Program Files\DIFX
2007-11-03 14:37 361,126 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-11-03 12:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-03 00:48 --------- d-----w C:\Program Files\Java
2007-11-02 20:29 --------- d-----w C:\Program Files\uTorrent
2007-10-31 22:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-06 11:32 --------- d-----w C:\Program Files\MSBuild
2007-10-06 11:28 --------- d-----w C:\Program Files\Reference Assemblies
2007-10-06 07:22 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-06 07:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\TuneUp Software
2007-10-06 07:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-06 07:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-10-03 21:55 80,424 ----a-w C:\WINDOWS\system32\drivers\SI3132.sys
2007-10-03 21:55 19,240 ----a-w C:\WINDOWS\system32\drivers\SiWinAcc.sys
2007-10-03 21:55 15,400 ----a-w C:\WINDOWS\system32\drivers\SiRemFil.sys
2007-10-03 21:55 119,848 ----a-w C:\WINDOWS\system32\SilSupp.dll
2007-10-03 18:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2007-10-03 18:05 --------- d-----w C:\Program Files\VideoLAN
2007-10-03 17:51 --------- d-----w C:\Program Files\Real
2007-10-03 17:51 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-03 17:51 --------- d-----w C:\Program Files\Common Files\Real
2007-10-03 11:29 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2007-09-30 16:39 --------- d-----w C:\Program Files\CCleaner
2007-09-30 12:49 --------- d-----w C:\Program Files\Look@LAN
2007-09-30 11:37 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-09-30 10:50 --------- d-----w C:\Program Files\NetMeter
2007-09-30 09:27 --------- d-----w C:\Program Files\Skype
2007-09-29 16:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Media Player Classic
2007-09-29 09:28 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-09-29 09:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1d011700-485a-4304-ba37-551a8345313b}]
2007-11-21 20:59 80960 --a------ C:\WINDOWS\system32\grnwrdso.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"Personal Assistant"="C:\Program Files\Shelltoys\Personal Assistant\assistant.exe" [2003-03-07 12:47]
"VoipStunt"="C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" [2007-07-02 12:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"Allway Sync"="C:\Program Files\Allway Sync\Bin\syncappw.exe" [2007-10-30 09:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 13:25]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 06:12]
"ASUS ASAP USB"="C:\Program Files\ASUS\ASAP\asapusb.exe" [2007-01-10 10:55]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 16:23 C:\WINDOWS\StartupMonitor.exe]
"Ai Nap"="C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe" [2007-01-26 16:26]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2007-07-16 14:50]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 C:\WINDOWS\KHALMNPR.Exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"Ai Remote Help"="C:\Program Files\ASUS\AI Remote\AiRc.exe" [2007-03-22 19:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 14:21]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 17:20]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-05-26 17:58:02]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-08-25 19:16:29]
ScreenDUO.lnk - C:\Program Files\ASUS\ScreenDUO\AsG_Manager.exe [2007-08-25 10:38:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzc32]
winzzc32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ft2kEnum;usb Card Device;C:\WINDOWS\system32\DRIVERS\ic2kenum.sys
R3 Reader_Device;SmartCard Reader Device ;C:\WINDOWS\system32\DRIVERS\usbic2k.sys
R3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys
S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys
S3 token;usb token Device Driver;C:\WINDOWS\system32\DRIVERS\eps2kt1.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b057daa-4ddb-11dc-81a4-806d6172696f}]
\Shell\AutoRun\command - D:\.\Bin\Assetup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 16:15:40 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-11-27 08:50:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-27 19:20:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FA99C259-B28E-4AE5-9021-F78B9D4C8452}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 20:21:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 20:22:09
.
--- E O F ---

**Taliu** · 2007-11-27, 20:32

Install.txt

µTorrent
AC3Filter (remove only)
Adobe Reader 7.0.9
Adobe Shockwave Player
AI Remote
AI Suite
Allway Sync version 6.3.9
ASUS ASAP Function
ASUS Gamer OSD
ASUS nVidia Driver
ASUS ScreenDUO
ASUS Utilities
ASUS VideoSecurity Online
ASUSUpdate
avast! Antivirus
Babylon
Bluesoleil3.2.2.8 Release 070421
BULLFROG GAMEPAD
CCleaner (remove only)
CDDRV_Installer
Change Analysis Diagnostic for Windows XP (KB924732)
CODE Multimedia
Collectorz.com Book Collector
COMSOL 3.3
Cool & Quiet
eMule
Genie Backup Manager Pro 7.0
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for MSXML 2 (KB887606)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB889527)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB924867)
Hotfix for Windows XP (KB924941)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB927544)
Hotfix for Windows XP (KB932662)
Hotfix for Windows XP (KB935843)
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Juice 2.2
Kaspersky Online Scanner
KhalInstallWrapper
Lizardtech DjVu Control
Logitech SetPoint
Look@LAN 2.50 Build 35
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Script 5.7
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NetMeter 1.1.3
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia Software Updater
NSIS FreePOPs (remove only)
NVIDIA Drivers
Origin70
Panda ActiveScan
PC Connectivity Solution
PC DUAL SHOCK
PC Probe II
PC1D 5.5
Personal Assistant
PrimoPDF
PrimoPDF Redistribution Package
Quake 4(TM)
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SIM Editor
Skype™ 3.5
Software Update for Web Folders
SoundMAX
Spybot - Search & Destroy 1.4
StartupMonitor
System Requirements Lab
TuneUp Utilities 2007
Update for Windows XP (KB896256)
Update for Windows XP (KB897663)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6c
VirtualCloneDrive
VoipStunt
Windows Communication Foundation
Windows Defender
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (08/08/2007 3.3)
Windows Easy Transfer
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
XP Codec Pack

and new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:26:22, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\ASUS\AI Remote\AiRc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shelltoys\Personal Assistant\assistant.exe
C:\Program Files\ASUS\AI Remote\AiRemote.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ASUS\ScreenDUO\AsG_Manager.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\FreePOPs\freepopsservice.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\LaunchApplication\AsG_LaunchApplication.exe
C:\Program Files\Asus\ScreenDuo\Gadgets\RSS\ASG_RSS.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\HardwareMonitoring\AsG_HardwareMonitor.exe
C:\Program Files\Asus\ScreenDuo\Gadgets\MediaPlayer\ASG_MpCtrl.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\EventViewer\AsG_EventViewer.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\Note\AsG_Note.exe
C:\Program Files\Asus\ScreenDuo\Gadgets\PhotoFrame\ASG_Photoframe.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Asus\ScreenDUO\Gadgets\PhotoSlideShow\ASG_SlideShow.exe
C:\Program Files\Asus\ScreenDUO\Gadgets\Time\AsG_Time.exe
C:\Program Files\ASUS\ScreenDUO\Gadgets\VolumeControl\AsG_VolumeControl.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {b3135438-a155-73ab-4034-a584007110d1} - {1d011700-485a-4304-ba37-551a8345313b} - C:\WINDOWS\system32\grnwrdso.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS ASAP USB] C:\Program Files\ASUS\ASAP\asapusb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ai Remote Help] "C:\Program Files\ASUS\AI Remote\AiRc.exe" -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Personal Assistant] C:\Program Files\Shelltoys\Personal Assistant\assistant.exe
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Allway Sync] "C:\Program Files\Allway Sync\Bin\syncappw.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: ScreenDUO.lnk = ?
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E7190B-3F58-4BDF-B820-090F0C65835D}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FreePOPs - Unknown owner - C:\Program Files\FreePOPs\freepopsservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 9012 bytes

Bye

**Taliu** · 2007-11-27, 20:40

Uhu! Yesterday I run also CCleaner (the cleaner and the registry).

Regards,

**Simon V.** · 2007-11-27, 20:50

Hi

I run also Trend Micro which didn't find anything but some cookie.

Uhu! Yesterday I run also CCleaner (the cleaner and the registry).

That's fine

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

µTorrent

Step 1

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

Java(TM) 6 Update 2

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code:

File::

C:\WINDOWS\system32\xpgcypkl.ini
C:\WINDOWS\system32\lkpycgpx.dll
C:\WINDOWS\system32\grnwrdso.dll
C:\WINDOWS\system32\vhuqeseh.exe
C:\WINDOWS\system32\cjlvjoab.dll
C:\WINDOWS\system32\mmhagiat.ini
C:\WINDOWS\system32\taigahmm.dll
C:\WINDOWS\system32\bjajpkls.dll
C:\WINDOWS\system32\hvttadyl.ini
C:\WINDOWS\system32\lydattvh.dll
C:\WINDOWS\system32\jhhnphvh.exe
C:\WINDOWS\system32\iifddcy.dll
C:\WINDOWS\system32\ssqoolm.dll

DirLook::

C:\Program Files\VID_0E8F&PID_1009

Folder::

C:\Program Files\Ukrjzrly
C:\Program Files\jyrmrmpi

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1d011700-485a-4304-ba37-551a8345313b}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzc32]

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save.

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

In your next reply, please post:

the Combofix log (C:\Combofix.txt)
a new HijackThis log
How is your computer running now?

Thread: Still lot of Virus after running VundoFix: what to do?

Thread Tools

Display

Still lot of Virus after running VundoFix: what to do?

Posting Permissions