Virus and Pop Up Issues

Viruses and worms
1

You all helped me a year ago and how I appreciated that, and now I am asking for help again!! Clueless what really got all this started again. I read thro forums to see if I can fix this without help, all too confusing for me. Please?

I have Avast notices of … Win32:SecBarB[Adw] … Win32:Tiny-JC[trj] … Win32:Trojano-2873[trj] … Win32:Small-IKZ[trj] … Win32:Adloader-KH[trj] … Win32:Adware-gen[Adw] … Win32:VB-FXN[trj]. I tried to figure out how to copy from “Virus Chest” and couldnt figure it out, this can get you started?

I have nurmerous of pop ups.

What softwares (I did update first) I have ran so far:
Advast (of course!)
SuperAntiSyware
Spybot - Search & Destroy
AVG Anti-Rootkit Beta
VundoFix
I do have CCleaner installed, but too insecured in how to really use it, so didnt.

Even after running these programs, and I did have two scheduled scans with Advast, I am still having plenty of popups with about 8-10 detections daily with Avast.

And a final question: Is one of these Anti-spywares (etc) a reason why I could be having these popups? Does a person need to clear out any downloaded softwares and reload from fresh?

Thanks guys… Marian

2
And a final question: Is one of these Anti-spywares (etc) a reason why I could be having these popups? Does a person need to clear out any downloaded softwares and reload from fresh?

No, they are all legitimate and you don’t need to reinstall. You will need to download an up-to-date version of VundoFix.

The pop-ups sound like a nasty vundo infection.

Follow the instructions here, making sure to download recent versions of the programs mentioned. (One of them is VundoFix.)

http://www.bleepingcomputer.com/forums/topic18610.html

You can also try the Symantec tool:

http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

If still having problems, post a HijackThis! log.

3

Thank for the reply, greatly appreciated. Sorry for laxing time to get back, over whelmed over here!!

I upgraded the vundofix to Vundofix V6.7.0, and installed Window Defender.

I scanned nurmeous times with Avast[timed scanning], SuperAntispyware [in safe mode], Spybot Search & Destroy, Window Defender. Numerous viruses, etc were detected and dealt with how the software told me to. However, Avast had a few that would not accept quarantining them, so I chose to deleted them.

Now, when I reboot up the computer, it tells me that I am missing a file: WINDOWS\System32\vjuvtfoi.dll

I am still having pop up issues. I will be upgrading to “WildBlue” satelite next week [hopefully], and would like to get rid of this stuff on my computer. It takes me a very long time to even scan!!

I still have HijackThis on my computer from last year. I did notice that I still have backup files saved. Before rescanning with HijackThis, should I not delete them files from last year? And of course, I forgot how to do this!!

4

Why did avast not allow sending to the chest, this is a question you should have asked before deletion. For the reason that instead of this unable to find (which is almost certainly malware as there are zero hits for the file name ongoogle) it could well have been an important file incorrectly detected.

Having probably moved or deleted this file there is still a registry entry trying to start it on boot, you need to clear that registry entry.

Run HJT and click the look for any entry for WINDOWS\System32\vjuvtfoi.dll and fix them. Once you have done that click config button, select the Backup tab, here you can select the old backups you wish to delete.

Your HJT is also likely to be well out of date too, FileHippo Download - HiJackThis.

Once you have run the new version, post the contents of the HJT log in a new post, it may take more than one post, if so just split the copy and paste over two or more posts.

5

Thank you for replying David…

When I tried moving the virus to the chest, it kept telling me it couldnt as it was being used by another application. Maybe I should of just closed out Avast rather then deleting, is what you are saying? Oops… nieve persons!! ::slight_smile:

I am not really gifted with figuring out this computer stuff, but I will upgrade my HJT and try to do what you asked of me… Later.

6

No, never turn off avast!!!

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

7

I’m surprised that when it couldn’t be moved because it was in use (common issue if malware is running) that the same problem ‘didn’t’ occur when you chose to delete.

No not close avast, just don’t choose delete as a first option, ‘you have none left.’ If a file is in use that is where avast’s boot-time scan is extremely valuable as it runs a scan before windows and in most cases the file won’t be in use. avast will be able to detect it and here you should be able to choose ‘move to chest,’ as Tech mentioned. Also see, http://www.digitalred.com/avast-boot-time.php.

Don’t worry about that, we will be here to help if you need it.

8

This is unbelievable!! I did upgrade HijackThis, and scanned. I want to save the log, so I clicked on [Save Log], right? It all disappears!! I can not find where the files are(I tried this 3x), even by searching, using key words of “log” “hijackthis” . Where are them loggings going? Also, the older folder to the older HijackThis is gone now too.

As for scheduled boot scanning, I have done this 4x in the last few days.

And yes, I am still getting pop ups… only like 3 of them rather then 30 !!

9

Ok, you should download and run these two programs and post /attach the logs. Please run in order posted.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

10

Deckards Scan:
Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3000+
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 447.48 MiB / 109.57 MiB
Pagefile Memory (total/avail): 1055.93 MiB / 695.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.77 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 144.89 GiB total, 129.76 GiB free.
D: is Fixed (FAT32) - 4.14 GiB total, 0.61 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\.\PHYSICALDRIVE0 - SAMSUNG SP1604N - 149.05 GiB - 2 partitions
\PARTITION0 - Unknown - 4.15 GiB - D:
\PARTITION1 (bootable) - Installable File System - 144.89 GiB - C:

\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

– Security Center ---------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.7.1043 [VPS 071207-0] v4.7.1043 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:MSN Messenger 7.5”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019”
“C:\Program Files\Yahoo!\Messenger\YPager.exe”=“C:\Program Files\Yahoo!\Messenger\YPager.exe::Enabled:Yahoo! Messenger"
“C:\Program Files\WinMX\WinMX.exe”="C:\Program Files\WinMX\WinMX.exe::Enabled:WinMX Application”
“C:\Program Files\Canasis\canasis.exe”=“C:\Program Files\Canasis\canasis.exe::Enabled:Canasis"
“C:\Program Files\WildTangent\Blasterball 2\BB2.exe”="C:\Program Files\WildTangent\Blasterball 2\BB2.exe::Enabled:BB2”
“C:\Program Files\Yahoo!\Messenger\YServer.exe”=“C:\Program Files\Yahoo!\Messenger\YServer.exe::Enabled:YServer Module"
“C:\WINDOWS\system32\rtcshare.exe”="C:\WINDOWS\system32\rtcshare.exe::Enabled:RTC App Sharing”
“C:\Program Files\NetMeeting\conf.exe”=“C:\Program Files\NetMeeting\conf.exe::Enabled:Windows® NetMeeting®"
“C:\Program Files\Real\RealOne Player\realplay.exe”="C:\Program Files\Real\RealOne Player\realplay.exe::Enabled:RealOne Player”
“C:\Program Files\Yahoo! Games\Boggle Supreme\BoggleSupreme.exe”=“C:\Program Files\Yahoo! Games\Boggle Supreme\BoggleSupreme.exe::Enabled:Boggle Supreme"
“C:\WINDOWS\system32\rundll32.exe”="C:\WINDOWS\system32\rundll32.exe::Disabled:Run a DLL as an App”
“C:\WINDOWS\system32\dpvsetup.exe”=“C:\WINDOWS\system32\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:MSN Messenger 7.5”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe::Enabled:Yahoo! Messenger”
“C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour"
“C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe”="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe::Enabled:EasyShare”
“C:\Program Files\BearShare Applications\BearShare\BearShare.exe”=“C:\Program Files\BearShare Applications\BearShare\BearShare.exe::Enabled:BearShare"
“C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe”="C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe::Disabled:Instant Update Configuration EXE”
“C:\WINDOWS\io43mvuiw4kj.exe”=“C:\WINDOWS\io43mvuiw4kj.exe::Disabled:io43mvuiw4kj"
“C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe”="C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe::Disabled:Kodak Software Updater”
“C:\Program Files\LimeWire\LimeWire.exe”=“C:\Program Files\LimeWire\LimeWire.exe::Disabled:LimeWire"
“C:\StubInstaller.exe”="C:\StubInstaller.exe::Disabled:LimeWire swarmed installer”
“C:\Program Files\Yahoo! Games\Magic Ball\MagicBall.exe”=“C:\Program Files\Yahoo! Games\Magic Ball\MagicBall.exe:*:Disabled:MagicBall”
“C:\WINDOWS\system32\ckvqeaym.exe”=“C:\WINDOWS\system32\ckv”
“C:\WINDOWS\system32\bwpvvsjk.exe”=“C:\WINDOWS\system32\bwp”
“C:\WINDOWS\system32\dtbyqqxg.exe”=“C:\WINDOWS\system32\dtb”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JORDAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LD_LIBRARY_PATH=c:\Corel\Office7\Shared\TrueDoc\Bin
LOGONSERVER=\JORDAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem;;c:\Corel\Office7\Shared\TrueDoc\Bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=JORDAN
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

11

– Add/Remove Programs ---------------------------------------------

→ C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log
→ C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
→ C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
→ C:\WINDOWS\System32\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
→ c:\WINDOWS\System32\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
→ RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe”
→ RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe”
→ RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe”
→ RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
→ VTUninst.exe -reg 5 ‘HKLM\Software\S3\VT\S3Uninst\S3Timer’
Ad-Aware SE Personal → C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adaptec UDF Reader → C:\WINDOWS\System32\UDFRUNIN.EXE
Adobe Atmosphere Player for Acrobat and Adobe Reader → C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX → C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Agere Systems PCI Soft Modem → agrsmdel
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Rootkit Beta → C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\Uninstall.exe
Blackhawk Striker from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\F07504C6-20C5-4BFE-83A0-523FB2455E72\Uninstall.exe”
Calendar Maker → C:\WINDOWS\uninst.exe -f"C:\Program Files\greenstreet\DeIsL1.isu"
CAM UnZip 4.4 → “C:\Program Files\CAM Development\CAM UnZip\Uninstall\unins000.exe”
CCleaner (remove only) → “C:\Program Files\CCleaner\uninst.exe”
CCScore → MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
CodeStuff Starter → “C:\Program Files\CodeStuff\Starter\unStarter.exe”
Compaq Connections → C:\WINDOWS\BWUnin-6.2.3.66L.exe -AppId 1940576
Compaq Instant Support → C:\PROGRA~1\COMPAQ~2\UNWISE.EXE C:\PROGRA~1\COMPAQ~2\INSTALL.LOG
Compaq Organize → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe” UNINSTALL
Corel Business Applications → c:\Corel\Office7\AppMan\Setup\remove.exe
Creative Modem Blaster PCI Value DI5652-1 → C:\Program Files\CREATIVE\CNXT_MODEM_PCI_VEN_14F1&DEV_2F00&SUBSYS_1055148D\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F00&SUBSYS_1055148D
Desktop Weather by The Weather Channel → C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
Dual Mode Camera → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{5168221A-732B-42E7-85E8-201D7A0CB954}\Setup.exe” -l0x9
Easy Internet Sign-up → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0613467F-A45E-4CB1-9ECE-1F3DD79FB927} /l1033
Enhanced Multimedia Keyboard Solution → C:\HP\KBD\Install.exe /u
ESSBrwr → MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK → MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore → MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui → MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp → MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini → MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD → MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock → MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC → MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS → MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt → MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
essvcpt → MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
Excavation from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\C679AA5F-C2C8-4EA8-9CD1-504A39AEC264\Uninstall.exe”
Five Card Frenzy from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\2FDCC229-354D-4279-ABEF-CE17E355BFFA\Uninstall.exe”
greenstreet PhotoFX 1.01 → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\greenstreet\Photofx101.isu"
HijackThis 2.0.2 → “C:\Program Files\Trend Micro\HijackThis\HijackThis.exe” /uninstall
HLPPDOCK → MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HP Customer Participation Program 7.0 → C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
hp deskjet 5600 → msiexec /x{8CDC6712-AF80-459E-911F-F1E156CB0AB0}
HP Deskjet Preloaded Printer Drivers → MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 3.5 → C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 7.0 → C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photo & Imaging 3.5 - HP Devices → C:\Program Files\HP\Digital Imaging{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Essential → MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart, Officejet and Deskjet 7.0.A → C:\Program Files\HP\Digital Imaging{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP PSC & OfficeJet 3.0 → “C:\Program Files\HP\Digital Imaging{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe” -datfile hposcr03.dat
HP Solution Center 7.0 → C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update → MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Image Resizer Powertoy for Windows XP → MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
ImageShack Toolbar for Internet Explorer → MsiExec.exe /X{92E6E396-0566-46DF-AB50-20B4A7F3AF17}
Instant Email → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Polaroid\Instant Email\Uninst.isu"
IntelliMover Data Transfer Demo → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{14589F05-C658-4594-9429-D437BA688686}\Setup.exe” -l0x9
InterVideo WinDVD Creator 2 → “C:\Program Files\InstallShield Installation Information{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe” REMOVEALL
InterVideo WinDVD Player → “C:\Program Files\InstallShield Installation Information{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe” REMOVEALL
Java 2 Runtime Environment, SE v1.4.2_03 → MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
kgcbaby → MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase → MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday → MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn → MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt → MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids → MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove → MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday → MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software → C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup$SETUP_140010_13ded67\Setup.exe /APR-REMOVE
KSU → MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Macromedia Shockwave Player → C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Micro Innovations Wireless Optical Mouse → C:\Program Files\Micro Innovations\Wireless Optical Mouse\uninst00.exe
Microsoft Data Access Components KB870669 → C:\WINDOWS\muninst.exe

12

C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia 2000 → “C:\Program Files\Microsoft Encarta\Encarta Encyclopedia 2000\unee2000.exe” /uninstall
Microsoft Expedia Streets & Trips 2000 → C:\Program Files\Common Files\Microsoft Shared\Geography\Setup\acmsetup.exe /T SUT70409.stf
Microsoft FrontPage 2002 → MsiExec.exe /I{90170409-6000-11D3-8CFE-0050048383C9}
Microsoft Home Publishing 2000 → MsiExec.exe /I{9944aa9e-362d-11d3-81ab-00c04fb932ba}
Microsoft Learning and Research Plus Support Files → MsiExec.exe /I{00000000-3976-4267-9F39-1DC4745090B7}
Microsoft Office Standard Edition 2003 → MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Express 7.0 → MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE130}
Microsoft Plus! Digital Media Edition → MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Web Publishing Wizard 1.52 → RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Windows Journal Viewer → MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Word 2000 → MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 2000 → MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Microsoft Works 2000 Setup Launcher → C:\Program Files\Microsoft Works Suite 2000\Setup\Launcher.exe E:
Microsoft Works 7.0 → MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MicroWorlds EX Web Player → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{C15EF442-868C-4524-8935-851224E17392}\setup.exe” -l0x9 -removeonly
MicroWorlds Web Player → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\LCSI\MicroWorlds Web Player\Uninst.isu"
MSN Internet Software → C:\Program Files\MSN\MSNCoreFiles\Setup\msnunin.exe
MSN Messenger 7.5 → MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSN Toolbar → C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
Multimedia Card Reader → C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF9967D8-1999-4260-ACC2-86901AA36650}
MyLayout Profile Editor → “C:\MYDOWN~1\MyLayout Profile Editor\UNINSTAL.EXE”
NetWaiting → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{3F92ABBB-6BBF-11D5-B229-002078017FBF}\Setup.EXE” -l0x9 ControlPanelAnyText
Notifier → MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NVIDIA GART Driver → C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver
OfotoXMI → MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OLYMPUS CAMEDIA Master 1.2 → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OLYMPUS\CAMEDIA Master\Uninst.isu"
Orbital from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\Uninstall.exe”
OTtBP → MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK → MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Otto from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\8A225900-C06D-41DD-B66C-43840D472758\Uninstall.exe”
Overball from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe”
PC-Doctor for Windows → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe”
PhoTags Express → C:\PROGRA~1\PHOTAG~1\Setup.exe /remove
Picasa 2 → “C:\Program Files\Picasa2\Uninstall.exe”
Polar Bowler from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe”
PS2 → C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions → C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 → C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2004 → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickTime → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
Rand McNally TripMaker → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Rand McNally\TripMaker\Uninst.isu"
RealPlayer → C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow! → MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Registry Cleaner 6.0.0.004 → “C:\Program Files\Registry Cleaner\unins000.exe”
S3 S3Display → vtuninst.exe -reg 5 ‘HKLM\Software\S3\VT\S3Uninst\S3Display’
S3 S3Gamma2 → vtuninst.exe -reg 5 ‘HKLM\Software\S3\VT\S3Uninst\S3Gamma2’
S3 S3Info2 → vtuninst.exe -reg 5 ‘HKLM\Software\S3\VT\S3Uninst\S3Info2’
S3 S3Overlay → vtuninst.exe -reg 5 ‘HKLM\Software\S3\VT\S3Uninst\S3Overlay’
Scrapbook Factory → MsiExec.exe /X{A75AC597-EDCD-4FC7-94C5-2F72B52C95CA}
Security Update for Step By Step Interactive Training (KB898458) → “C:\WINDOWS$NtUninstallKB898458$\spuninst\spuninst.exe”
Security Update for Step By Step Interactive Training (KB923723) → “C:\WINDOWS$NtUninstallKB923723$\spuninst\spuninst.exe”
SFR → MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA → MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave → C:\WINDOWS\system32\Macromed\SHOCKW~3\UNWISE.EXE

13

SHASTA → MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave → C:\WINDOWS\system32\Macromed\SHOCKW~3\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~3\Install.log
Sierra Utilities → .\sutil32.exe uninstall
SKIN0001 → MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK → MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Slyder from Compaq (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe”
Software Direct → C:\WINDOWS\uninst.exe -f"C:\Program Files\Software Direct\DeIsL1.isu" -c"C:\Program Files\Software Direct_ISREG32.DLL"
Sonic Update Manager → MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpamSubtract → C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG
Spybot - Search & Destroy 1.4 → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
staticcr → MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
SUPERAntiSpyware Free Edition → MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
U.S. Robotics V.92 PCI Faxmodem → C:\Program Files\CONEXANT\USR_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_200014F1\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F30&SUBSYS_200014F1&REV_01
USRobotics Instant Update → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{37039F32-5D27-409B-8FD4-5B51EEF31DBE}\Setup.exe” -l0x9
VIA Rhine-Family Fast Ethernet Adapter → Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver → VTsetvga.exe -s -rRundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\hg201hp.inf
VPRINTOL → MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Weather Services → C:\WINDOWS\system32\control.exe C:\WINDOWS\system32\wxfw.cpl,4
Windows Defender → MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
WIRELESS → MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Word in Works Suite add-in → MsiExec.exe /I{0DB93918-2A77-11D3-805A-00C04FA329AA}
Yahoo! Address AutoComplete → C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\yaddbook.dll
Yahoo! Browser Services → C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Internet Mail → C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger → C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar → C:\PROGRA~1\Yahoo!\Common\unyt.exe

14

– Application Event Log -------------------------------------------------------

Event Record #/Type178 / Warning
Event Submitted/Written: 12/07/2007 04:25:11 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type169 / Warning
Event Submitted/Written: 12/07/2007 08:40:50 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type163 / Warning
Event Submitted/Written: 12/07/2007 00:46:30 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type162 / Error
Event Submitted/Written: 12/07/2007 00:43:25 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType avsubmit, P1 windefend, P2 1.1.3007.0, P3 unspecified, P4 1.23.4485.0, P5 trojan_win32_virtumonde.gen, P6 NIL, P7 NIL, P8 NIL, P9 avsubmit0, P10 avsubmit1.

Event Record #/Type158 / Warning
Event Submitted/Written: 12/06/2007 10:16:11 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

15

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type39086 / Warning
Event Submitted/Written: 12/07/2007 06:26:10 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JORDAN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JORDAN27 can’t undo changes that you allow.

There is more info if need it … let me know … Mare

16

From the main.txt-Notepad …

Deckard’s System Scanner v20071014.68
Run by Owner on 2007-12-07 18:23:22
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
108: 2007-12-08 01:23:35 UTC - RP352 - Deckard’s System Scanner Restore Point
107: 2007-12-08 00:15:12 UTC - RP351 - Software Distribution Service 3.0
106: 2007-12-07 12:45:45 UTC - RP350 - Windows Defender Checkpoint
105: 2007-12-07 06:07:58 UTC - RP349 - Windows Defender Checkpoint
104: 2007-12-06 23:32:02 UTC - RP348 - System Checkpoint

– First Restore Point –
1: 2007-11-27 22:31:36 UTC - RP245 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).

17
  • HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25, on 2007-12-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZF9RE1Z9\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

18

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24A41A0B-4D59-4FA3-86F6-A5EE3C482313} - C:\Program Files\Windows NT\mevojuliC:\WINDOWS\system32\v2\swdrv83122.exe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {62179339-1920-4AED-A272-A889231DE4A5} - C:\Program Files\Windows NT\mevojuliC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {F7ACDBCE-CDCB-4A5C-AAA2-9B28612DB6A5} - C:\WINDOWS\system32\ddccb.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

19

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner\RCSystemTray.exe
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NI.UGDC_0001_N122M2610] “c:\documents and settings\owner\application data\installer_en[1].exe”
O4 - HKLM..\Run: [TMT] C:\WINDOWS\Gwang.exe
O4 - HKLM..\Run: [64ced7fd] rundll32.exe “C:\WINDOWS\system32\vjuvtfoi.dll”,b
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Instant Update.lnk = C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ctctel.com/
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.digzag.com/ImageUploader4.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47/wwspades/wwspades.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip..{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS1\Services\Tcpip..{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS2\Services\Tcpip..{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


End of file - 10074 bytes

20

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 PID_0928 (Labtec WebCam(PID_0928)) - c:\windows\system32\drivers\lv561av.sys (file missing)
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - “c:\program files\bonjour\mdnsresponder.exe” <Not Verified; Apple Computer, Inc.; Bonjour>

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

– Scheduled Tasks -------------------------------------------------------------

2007-12-07 16:30:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2005-04-15 14:04:29 284 --a------ C:\WINDOWS\Tasks\XoftSpy.job

– Files created between 2007-11-07 and 2007-12-07 -----------------------------

2007-12-07 16:49:09 0 d-------- C:\Program Files\Trend Micro
2007-12-06 23:02:02 0 d-------- C:\Program Files\XoftSpySE
2007-12-05 09:02:41 0 d-------- C:\Program Files\Windows Defender
2007-12-05 07:54:26 455915 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-12-05 07:52:08 329312 -----n— C:\WINDOWS\system32\ddccb.dll
2007-12-03 17:40:12 0 d-------- C:\WINDOWS\system32\v2
2007-12-03 17:39:58 0 d-------- C:\WINDOWS\system32\bmv2
2007-12-03 17:39:57 0 d-------- C:\WINDOWS\system32\t21
2007-12-03 17:33:13 0 d-------- C:\WINDOWS\system32\rev1
2007-12-03 17:29:15 0 d-------- C:\WINDOWS\system32\daSgo06
2007-12-03 13:32:44 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2007-11-30 10:46:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-30 10:45:41 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-30 10:45:41 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-30 10:45:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-29 22:45:33 6144 --a------ C:\WINDOWS\ms042771381691.exe
2007-11-27 15:23:11 7713 -----n— C:\WINDOWS\system32\ldcore.dll
2007-11-27 15:18:03 0 d-------- C:\WINDOWS\system32\rMa02yy
2007-11-07 13:33:38 0 d-------- C:\Program Files\Microsoft Picture It! 7

– Find3M Report ---------------------------------------------------------------

2007-12-05 11:57:30 0 d-------- C:\Program Files\Common Files
2007-12-04 22:33:26 0 d-------- C:\Program Files\Yahoo!
2007-12-04 22:33:23 0 d-------- C:\Program Files\Common Files\Scanner
2007-12-03 11:47:29 0 d-------- C:\Program Files\Google
2007-12-03 00:09:39 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-03 00:05:14 0 d-------- C:\Program Files\IncrediGames
2007-11-24 18:13:41 0 d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-09-12 11:52:44 53248 --a------ C:\WINDOWS\hg173.exe <Not Verified; ; hg173>