Virtumonde and SmitFraud

[GoghUA]

Hello, I seem to need some help eliminating some malware from my machine. Here is a little background information...

My computer is Vista SP1 with IE7. I initialy noticed the problem when the SmitFraud malware changed my desktop background and both Windows Defender and AVG Free edition notified me of an issue. I immediately updated SpyBot and ran a scan. The two major offenders were Virtuamonde and SmitFraud, there were a few others but those seem to have been eliminated. Per the additional notes, I rebooted into Safe Mode and ran SpyBot again to ensure that these were eliminate. I also did it once more with my internet connection unhooked. It seemed that the malware had been eliminated however, when I reboot my machine with my internet connection enabled it seems that they come right back.

I followed all of the instructions in the BEFORE you POST thread, so here is my HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:34 PM, on 8/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [monhlpcfg] C:\ProgramData\monhlpcfg\mtafsjmr.exe
O4 - HKCU\..\Run: [lphc7rwj0en3g] C:\Windows\system32\lphc7rwj0en3g.exe
O4 - HKCU\..\Run: [IjXWNmJMgt] C:\ProgramData\kxqtalmz\sdqfqpmz.exe
O4 - HKCU\..\Run: [apigen] C:\ProgramData\apigen\qbwpolaz.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Matt\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-authd.exe (file missing)
O23 - Service: VMware Registration Service (vmserverdWin32) - Unknown owner - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe (file missing)
O23 - Service: YPDCQFHNF - Unknown owner - C:\Users\Matt\AppData\Local\Temp\YPDCQFHNF.exe (file missing)

--
End of file - 5844 bytes



Thanks in advance for any help that you can provide.

Sorry, I can't seem to edit my original post...

Anyway, I thought this information would be helpful to some others so I thought it would be valuable to post. I realized that when I ran hijack this, I didn't do "run as administrator" so I wasn't seeing all of the processes. I re-ran it as an adminstrator and I was able to see quite a few offending executibles that Virtumonde had placed into my C:\ProgramData folder with random names. It seems that after deleting these folders and executibles, then rebooting into safe mode and running SpyBot again to wipe out Virtumonde, I may have eliminated the malware.

Here is my new HJT scan, this time ran as administrator...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:04 PM, on 8/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Matt\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-authd.exe (file missing)
O23 - Service: VMware Registration Service (vmserverdWin32) - Unknown owner - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe (file missing)
O23 - Service: YPDCQFHNF - Unknown owner - C:\Users\Matt\AppData\Local\Temp\YPDCQFHNF.exe (file missing)

--
End of file - 5933 bytes



I am going to go through a few more reboot and scan cycles to make sure it is completly wiped out.

[steamwiz]

Hi

What you see in hijackthis is often just the "tip of the iceberg" with this malware ... I suggest you do this :-

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Then do the same with extra.txt

Note: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txt

Please remember to post both txt files ...


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

THEN ..

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  • Scan using the following Anti-Virus database:
  
  
  • Extended (if available otherwise Standard)
  
  
  • Scan Options:
  
  
  • Scan Archives Scan Mail Bases
• Click OK
• Now under select a target to scan:
  
  • Select My Computer
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Once finished, save the log to your Desktop as filename KAV.txt

THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebyt...are_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.


steam

[GoghUA]

Thanks Steam, I followed your instructions, here are the requested log files...

********** Begin Main.txt **********
Deckard's System Scanner v20071014.68
Run by Matt on 2008-08-16 18:43:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
14: 2008-08-16 16:55:04 UTC - RP583 - Removed Japanese Fonts Support For Adobe Reader 8
13: 2008-08-16 16:50:00 UTC - RP582 - Removed VMware Server
12: 2008-08-16 16:18:58 UTC - RP581 - Windows Update
11: 2008-08-16 02:13:51 UTC - RP580 - Scheduled Checkpoint
10: 2008-08-14 23:25:27 UTC - RP579 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-08-04 01:46:15 UTC - RP570 - Windows Backup


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Matt.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:53 PM, on 8/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\Matt\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\Matt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Matt\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-authd.exe (file missing)
O23 - Service: VMware Registration Service (vmserverdWin32) - Unknown owner - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe (file missing)

--
End of file - 6018 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\Trend Micro\HijackThis\backups\) ------

backup-20080816-181100-103 O23 - Service: YPDCQFHNF - Unknown owner - C:\Users\Matt\AppData\Local\Temp\YPDCQFHNF.exe (file missing)
backup-20080816-181100-280 O23 - Service: VMware Registration Service (vmserverdWin32) - Unknown owner - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe (file missing)
backup-20080816-181100-291 O13 - Gopher Prefix:
backup-20080816-181100-466 O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-authd.exe (file missing)
backup-20080816-181100-713 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 DgiVecp - \??\c:\windows\system32\drivers\dgivecp.sys
R2 SSPORT - \??\c:\windows\system32\drivers\ssport.sys
R3 OpenDrvII (AOpen OpenCLibv4 Driver) - c:\windows\system32\drivers\opendrvii.sys <Not Verified; AOpen Inc.; Open Driver Ver 1.0>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 VMAuthdService (VMware Authorization Service) - "c:\program files\vmware\vmware server\vmware-authd.exe" (file missing)
S2 vmserverdWin32 (VMware Registration Service) - c:\program files\vmware\vmware server\vmserverdwin32.exe (file missing)
S4 YPDCQFHNF - c:\users\matt\appdata\local\temp\ypdcqfhnf.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e97b-e325-11ce-bfc1-08002be10318}
Description: ATI 437A Serial ATA Controller
Device ID: PCI\VEN_1002&DEV_437A&SUBSYS_437A1002&REV_80\3&18D45AA6&0&88
Manufacturer: ATI
Name: ATI 437A Serial ATA Controller
PNP Device ID: PCI\VEN_1002&DEV_437A&SUBSYS_437A1002&REV_80\3&18D45AA6&0&88
Service: SI3112

Class GUID:
Description:
Device ID: PCI\VEN_1002&DEV_4379&SUBSYS_43791002&REV_80\3&18D45AA6&0&90
Manufacturer:
Name:
PNP Device ID: PCI\VEN_1002&DEV_4379&SUBSYS_43791002&REV_80\3&18D45AA6&0&90
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-15 21:20:31 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{7BAC0291-9F4D-4FA2-8288-1F1E00065A85}.job


-- Files created between 2008-07-16 and 2008-08-16 -----------------------------

2008-08-16 18:29:31 0 d-------- C:\Users\All Users\TEMP
2008-08-16 18:29:26 0 d-------- C:\Program Files\SpywareBlaster
2008-08-16 17:57:47 0 d-------- C:\Program Files\Fiddler2
2008-08-16 14:14:29 0 d-------- C:\Program Files\CCleaner
2008-08-16 13:27:09 73728 --a------ C:\Windows\zlib1.dll <Not Verified; ; zlib>
2008-08-16 13:27:09 162304 --a------ C:\Windows\libxslt.dll
2008-08-16 13:27:09 971776 --a------ C:\Windows\libxml2.dll
2008-08-16 13:27:09 888832 --a------ C:\Windows\iconv.dll <Not Verified; Free Software Foundation; libiconv: character set conversion library>
2008-08-16 12:24:33 0 d-------- C:\Program Files\Trend Micro
2008-08-16 11:06:44 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-15 22:04:17 0 d--h----- C:\$AVG8.VAULT$
2008-08-08 18:38:36 0 d-------- C:\Program Files\Apple Software Update
2008-08-08 18:37:53 0 d-------- C:\Program Files\iPod
2008-08-08 18:37:50 0 d-------- C:\Program Files\iTunes
2008-08-02 19:46:10 0 d-------- C:\Program Files\Microsoft Money Plus
2008-08-02 19:31:26 0 d-------- C:\Downloads


-- Find3M Report ---------------------------------------------------------------

2008-08-16 18:33:39 12 --a------ C:\Windows\bthservsdp.dat
2008-08-16 13:24:52 0 d-------- C:\Users\Matt\AppData\Roaming\Notepad++
2008-08-16 13:24:14 0 d-------- C:\Program Files\Notepad++
2008-08-16 11:53:51 0 d-------- C:\Program Files\VMware
2008-08-16 11:53:50 0 d-------- C:\Program Files\Common Files
2008-08-13 21:41:11 0 d-------- C:\Program Files\Windows Mail
2008-08-03 20:54:07 38423 --a------ C:\Users\Matt\AppData\Roaming\Comma Separated Values (Windows).ADR
2008-08-02 19:38:15 0 d-------- C:\Program Files\Microsoft Money 2006
2008-07-21 21:26:12 0 d-------- C:\Program Files\Winamp
2008-07-21 21:25:56 0 d-------- C:\Users\Matt\AppData\Roaming\Winamp
2008-07-17 18:55:51 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-15 21:41:10 0 d-------- C:\Users\Matt\AppData\Roaming\RssBandit
2008-07-11 18:39:42 0 d-------- C:\Program Files\Bonjour
2008-07-11 18:39:22 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [03/24/2007 09:30 PM C:\Windows\RtHDVCpl.exe]
"Samsung PanelMgr"="C:\Windows\Samsung\PanelMgr\SSMMgr.exe" [01/03/2007 04:47 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/02/2008 05:27 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
GPSvcGroup GPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32e3a5b5-99c6-11dc-b658-00018060e47a}]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec8d849-99c7-11dc-b96c-00018060e47a}]
AutoRun\command- K:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-16 18:47:15 ------------

********** END Main.txt **********


********** Begin Extra.txt **********

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Business (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3200+
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 2045.84 MiB / 1331.71 MiB
Pagefile Memory (total/avail): 4344.21 MiB / 3476.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1906.84 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 44.43 GiB free.
D: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (FAT32)
K: is Fixed (NTFS) - 232.88 GiB total, 30.46 GiB free.

\\.\PHYSICALDRIVE0 - ST380011A ATA Device - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE1 - SanDisk U3 Cruzer Micro USB Device - 3.82 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 3.83 GiB - J:

\\.\PHYSICALDRIVE3 - USB2.0 CardReader CF USB Device

\\.\PHYSICALDRIVE5 - USB2.0 CardReader MS USB Device

\\.\PHYSICALDRIVE6 - USB2.0 CardReader SD USB Device

\\.\PHYSICALDRIVE4 - USB2.0 CardReader SM XD USB Device

\\.\PHYSICALDRIVE2 - WDC WD2500JB-00GVC0 USB Device - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - K:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
AS: AVG Anti-Virus Free v8.0 (AVG Technologies) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Matt\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TINYTOO
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Matt
LOCALAPPDATA=C:\Users\Matt\AppData\Local
LOGONSERVER=\\TINYTOO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\AOpen\Common\.;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Matt\AppData\Local\Temp
TMP=C:\Users\Matt\AppData\Local\Temp
USERDOMAIN=TinyToo
USERNAME=Matt
USERPROFILE=C:\Users\Matt
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Matt


-- Add/Remove Programs ---------------------------------------------------------

2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
7-Zip 4.56 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
AOpen Application Runtime Environment --> "C:\Program Files\AOpen\Common\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update --> MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AusLogics Disk Defrag --> "C:\Program Files\AusLogics Disk Defrag\unins000.exe"
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BUM --> MsiExec.exe /I{55937F00-A69B-4049-8D3A-1C7729742B6F}
Canon ScanGear Starter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\SETUP.EXE" -l0x9 anything
CanoScan Toolbox Ver4.9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA9BCD4D-B782-4637-8F1F-F9A328D3C244}\Setup.exe" -l0x9 anything
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DHTML Editing Component --> MsiExec.exe /I{2EA870FA-585F-4187-903D-CB9FFD21E2E0}
Fiddler2 --> "C:\Program Files\Fiddler2\uninst.exe"
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KODAK EASYSHARE Gallery Easy Upload, v2.1 --> C:\Users\Matt\AppData\Local\KodakGallery\EasyShareSetup\$SETUP_140007_4bb8376\Setup.exe /APR-REMOVE
Live Search Maps Add-In for Microsoft Office Outlook --> MsiExec.exe /I{EB9A4856-C28A-4BC2-9373-975A33BB9CD4}
Microsoft Money Plus --> "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional 2007 --> MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs --> MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
Paint.NET v3.10 --> MsiExec.exe /X{5E749AEB-5A19-43BA-BB20-3CBB37539FE4}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RssBandit --> MsiExec.exe /I{55EDA308-D7BD-4C20-BC52-839F3A31E8AF}
Samsung ML-2010 Series --> C:\Program Files\Samsung\Samsung ML-2010 Series\Install\Setup.exe /R
Security Update for 2007 Microsoft Office System (KB951596) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E}
Security Update for Microsoft Office Excel 2007 (KB951546) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}
Security Update for Microsoft Office PowerPoint 2007 (KB951338) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Update for Microsoft Office Outlook 2007 (KB952142) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb955433) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {D9806966-6AA1-4B55-9528-6748E37CEE86}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Mobile Device Center --> MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}
Windows Mobile Device Center Driver Update --> MsiExec.exe /X{E7044E25-3038-4A76-9064-344AC038043E}


-- Application Event Log -------------------------------------------------------

Event Record #/Type19580 / Warning
Event Submitted/Written: 08/16/2008 06:37:01 PM
Event ID/Source: 3036 / Windows Search Service
Event Description:
The content source <csc://{s-1-5-21-2980063317-1443417611-1578253549-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
The object was not found. (0x80041201)

Event Record #/Type19578 / Success
Event Submitted/Written: 08/16/2008 06:36:05 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type19569 / Success
Event Submitted/Written: 08/16/2008 06:35:27 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type19568 / Success
Event Submitted/Written: 08/16/2008 06:35:25 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type19558 / Warning
Event Submitted/Written: 08/16/2008 06:33:38 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2980063317-1443417611-1578253549-1000_Classes:
Process 980 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2980063317-1443417611-1578253549-1000_CLASSES



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type136331 / Warning
Event Submitted/Written: 08/16/2008 06:45:08 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%TinyToo27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TinyToo27 can't undo changes that you allow.

For more information please see the following:
%TinyToo275

Scan ID: {2B1CC874-B44E-4C31-A4EB-08C2E980EAE8}

User: TinyToo\Matt

Name: %TinyToo271

ID: %TinyToo272

Severity ID: %TinyToo273

Category ID: %TinyToo274

Path Found: %TinyToo276

Alert Type: %TinyToo278

Detection Type: 1.1.1600.02

Event Record #/Type136330 / Warning
Event Submitted/Written: 08/16/2008 06:45:08 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%TinyToo27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TinyToo27 can't undo changes that you allow.

For more information please see the following:
%TinyToo275

Scan ID: {ED6F9D74-DCB4-4CAD-AA5B-250DE59E0BCD}

User: TinyToo\Matt

Name: %TinyToo271

ID: %TinyToo272

Severity ID: %TinyToo273

Category ID: %TinyToo274

Path Found: %TinyToo276

Alert Type: %TinyToo278

Detection Type: 1.1.1600.02

Event Record #/Type136329 / Warning
Event Submitted/Written: 08/16/2008 06:45:08 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%TinyToo27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TinyToo27 can't undo changes that you allow.

For more information please see the following:
%TinyToo275

Scan ID: {439120CB-4F0C-4423-AA52-8322C2F14503}

User: TinyToo\Matt

Name: %TinyToo271

ID: %TinyToo272

Severity ID: %TinyToo273

Category ID: %TinyToo274

Path Found: %TinyToo276

Alert Type: %TinyToo278

Detection Type: 1.1.1600.02

Event Record #/Type136328 / Warning
Event Submitted/Written: 08/16/2008 06:45:05 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%TinyToo27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TinyToo27 can't undo changes that you allow.

For more information please see the following:
%TinyToo275

Scan ID: {84CC97FD-1A81-4A97-BF30-E36FA00BF326}

User: TinyToo\Matt

Name: %TinyToo271

ID: %TinyToo272

Severity ID: %TinyToo273

Category ID: %TinyToo274

Path Found: %TinyToo276

Alert Type: %TinyToo278

Detection Type: 1.1.1600.02

Event Record #/Type136327 / Warning
Event Submitted/Written: 08/16/2008 06:45:05 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%TinyToo27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %TinyToo27 can't undo changes that you allow.

For more information please see the following:
%TinyToo275

Scan ID: {EA73633C-42D0-4EF1-97FB-3ECBBD82A266}

User: TinyToo\Matt

Name: %TinyToo271

ID: %TinyToo272

Severity ID: %TinyToo273

Category ID: %TinyToo274

Path Found: %TinyToo276

Alert Type: %TinyToo278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-08-16 18:47:15 ------------

********** END Extra.txt **********


********** Begin Kaspersky log **********


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 17, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 16, 2008 22:59:46
Records in database: 1099301
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 130816
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:02:54


File name / Threat name / Threats count
C:\Users\Matt\AppData\Local\Microsoft\Outlook\Outlook2.pst Infected: Trojan-Downloader.HTML.Agent.km 1

The selected area was scanned.

********** End Kaspersky log **********


********** Begin Malwarebystes' log **********

Malwarebytes' Anti-Malware 1.24
Database version: 1061
Windows 6.0.6001 Service Pack 1

9:12:39 AM 8/17/2008
mbam-log-8-17-2008 (09-12-39).txt

Scan type: Quick Scan
Objects scanned: 36573
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\SEC (Rogue.SecureExpertCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

********** End Malwarebystes' log **********



Thanks again for your help.

[steamwiz]

Hi

Your scans are basically clean

Just a few points ...

1. KASPERSKY ONLINE SCANNER 7 REPORT shows this :-

C:\Users\Matt\AppData\Local\Microsoft\Outlook\Outlook2.pst Infected: Trojan-Downloader.HTML.Agent.km 1

The Outlook2.pst file is an Outlook user account which you do NOT want to delete ...

The Trojan-Downloader.HTML.Agent.km referred to is an e-mail probably in the in box of that account ...

Trojan-Downloader:HTML/Agent.KM is a detection for certain spammed emails claiming to contain a link to a video, but actually link to a malicious executable.
The email consists of just a link to a malicious file. To entice the victim to download the malicious file the link claims to contain "Free Video Nude Anjelina Jolie". The URL where the file is hosted varies but the name of the actual file is always video-nude-anjelia.avi.exe.

You need to find the e-mail and delete it ... obviously do NOT click on the link ...

-

2. Run hijackthis...

Click Open the Misc tools section

Click Backups

delete :-

backup-20080816-181100-103 O23 - Service: YPDCQFHNF - Unknown owner - C:\Users\Matt\AppData\Local\Temp\YPDCQFHNF.exe (file missing)

-

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case :-

J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 7' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

Then you're good to go

steam

[GoghUA]

Thanks Steam! I appreciate your help in getting rid of everything, it looks like all is well now.

[steamwiz]

Hi

You're very welcome

As this thread is resolved, it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam