Virus... please help

Viruses and worms
21
In regard to the worm, it seems like it might be related to P2P but I don't see any P2P applications in your log. Does your brother download?

I don’t have any P2P applications, I don’t use any of that. My brother said he was downloading something to edit his MySpace page, not real sure what exactly.

Is it still WinAntiVirus, dating and such or something new now? If you go to sites you don't normally visit do the ads seem to go along with the subject of the new sites? Try some gardening or vehicle repair sites (or anything) to see if the ads change topic.

Yeah, it’s pretty much the same thing. It doesn’t change with different sites.

I’m going to try the Navilog1 and WinPFind3U now. I’ll post back soon.

22

Search Navipromo version 3.3.0 began on Thu 10/18/2007 at 20:43:18.68

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don’t continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 17.10.2007 at 20h00 by IL-MAFIOSO

Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 6.0.2900.2096

Done in normal mode

*** Searching for installed Software ***

*** Search folders in C:\WINDOWS ***

*** Search folders in C:\Program Files ***

*** Search folders in C:\Documents and Settings\All Users\Application Data ***

*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

!! Not same hidden file(s)/process(es) found !!
!! Scan results from Catchme not processed by Navilog1 !!

*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

  • Scan in C:\WINDOWS\system32 *

  • Scan in C:\DOCUME~1\TARA *

gnc.exe missing, Scan not done in C:\DOCUME~1\TARA !

*** Search files ***

*** Search specific Registry keys ***

*** Complementary Search ***
(Search specific files)

1)Search known files:
C:\WINDOWS\system32\cefhk.ini2 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\cefhk.bak1 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\cefhk.bak2 found ! Possible Vundo infection, not cleaned with this tool !

2)Heuristic Search :

3)Certificates Search :

Egroup certificate not found !

*** Search completed on Thu 10/18/2007 at 20:45:01.87 ***

23

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.bak1
C:\WINDOWS\system32\cefhk.bak2

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

EDIT: Before running HJT again rename the executable to hjtara.exe

Please also run ComboFix again and give me a fresh log.

24

Ok I will do all that in a minute. I just wanted to give you an update. I got on my computer this morning and it’s going crazy with pop-ups. I get about 20 with in 1 minute. I also keep getting these wierd alerts; it’s a yellow triangle in the bottom right corner of my computer and a ballon will pop out of it saying Security Alert:Spyware found or System Alert:trojan-spy:win32@mx. Also WinPFind3U won’t run. I keep getting an “encountered an error can’t continue” message. I’ll post back soon.

25

Don’t use (click) these alerts! They could give you much more trouble.
Install and run safe antispyware tools like AVGas, SpywareTerminator, Spybot.
You should also run a boot time scanning with avast.

26

For sure don’t click them …

This sounds like another SmitFraud variant. Now that we’ve found Vundo I hope to make better progress with this as Vundo is probably downloading the rest. Go ahead with HJTara.exe and ComboFix and we see what they show (if you have any trouble running ComboFix rename it and try again).

EDIT: Just to clarify, move the 3 files listed above with OTMoveIt first, then the logs.

27

C:\WINDOWS\system32\cefhk.ini2 moved successfully.
C:\WINDOWS\system32\cefhk.bak1 moved successfully.
C:\WINDOWS\system32\cefhk.bak2 moved successfully.

Created on 10/19/2007 10:39:35

28

ComboFix 07-10-17.8 - Tara & Paul 2007-10-19 10:47:27.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.31 [GMT -7:00]
Running from: C:\Documents and Settings\Tara & Paul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cefhk.ini
C:\WINDOWS\system32\cefhk.ini
C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.tmp
C:\WINDOWS\system32\cefhk.tmp
C:\WINDOWS\system32\khfec.dll
C:\WINDOWS\system32\khfec.dll
C:\WINDOWS\system32\kyinieiy.dll
C:\WINDOWS\system32\nuasmuqv.dll
C:\WINDOWS\system32\yieiniyk.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-18 20:41 d-------- C:\Program Files\Navilog1
2007-10-17 19:02 8,192 --a------ C:\sysudiq.exe
2007-10-17 09:38 d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 d-------- C:\VundoFix Backups
2007-10-16 09:51 C:\Documents and Settings\Tara 2007-10-16 09:51 Paul\Application Data\Help
2007-10-07 09:31 C:\Documents and Settings\Tara 2007-10-07 09:31 Paul\Application Data\AccurateRip
2007-10-07 09:30 d-------- C:\Program Files\Illustrate
2007-10-04 15:00 d-------- C:\Program Files\Java
2007-10-04 14:57 d-------- C:\Program Files\Common Files\Java
2007-09-27 08:00 d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 C:\Documents and Settings\Tara 2007-09-24 13:18 Paul\Application Data\Yahoo!
2007-09-24 13:10 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 d-------- C:\Program Files\SpywareBlaster
2007-09-20 14:33 d-------- C:\Program Files\Common Files\Download Manager
2007-09-19 19:15 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-19 19:14 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 19:14 C:\Documents and Settings\Tara 2007-09-19 19:14 Paul\Application Data\SUPERAntiSpyware.com
2007-09-19 19:12 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:15 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-19 09:52 d-------- C:\Program Files\RogueRemover FREE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 15:13 340,032 ----a-w C:\WINDOWS\system32\rmqgcave.dll
2007-10-19 15:13 340,032 ----a-w C:\WINDOWS\system32\pttryjxd.dll
2007-10-18 02:02 55,808 ----a-w C:\WINDOWS\system32\sysdl133.exe
2007-10-18 02:02 33,792 ----a-w C:\WINDOWS\system32\vtuuvsr.dll
2007-10-18 02:02 167,945 ----a-w C:\WINDOWS\system32\sysdl132.exe
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-07 16:30 4,229,496 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-03 17:56 --------- d-----w C:\Program Files\Coupons
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-21 16:17 28,680 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15 33,288 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15 25,096 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-08-19 03:11 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Ahead
2007-08-19 03:09 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll

29

.

((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.

  • 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-19 17:46:53 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-19 17:56:20 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_604.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02 33792 --a------ C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-19 08:13 340032 --a------ C:\WINDOWS\system32\pttryjxd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\pttryjxd.dll [2007-10-19 08:13 340032]

[HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2007-09-07 18:42]
“EPSON Stylus CX5800F Series”=“C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe” [2005-05-09 22:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-09-07 18:42]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“P2kAutostart”=“C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-19 16:29]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]
“Aim6”=“”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
@=
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
“{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}”= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pttryjxd]
pttryjxd.dll 2007-10-19 08:13 340032 C:\WINDOWS\system32\pttryjxd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 C:\WINDOWS\system32\khfec.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job”
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 10:57:58
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe?0???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-19 11:04:39 - machine was rebooted
C:\ComboFix2.txt … 2007-10-17 10:15
C:\ComboFix3.txt … 2007-10-16 09:37
.
— E O F —

30

Logfile of HijackThis v1.99.1
Scan saved at 11:07:22 AM, on 10/19/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\hijacktryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pttryjxd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pttryjxd.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pttryjxd - C:\WINDOWS\SYSTEM32\pttryjxd.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

31

I’ll review your logs in depth a little later. For now I would like you to open OTMoveIt and kill this file as you did with the others

C:\sysudiq.exe

If you are now able to run WinpFid3U please run it and post its log.

32

Here’s the “post-review” fix:

Open HJT and click to Do a System Scan Only. When complete place a check mark next to these lines

O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pttryjxd.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pttryjxd.dll
O20 - Winlogon Notify: pttryjxd - C:\WINDOWS\SYSTEM32\pttryjxd.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll

Close all other windows including your browser, and click Fix Checked. Close HJT.

Open OTMoveIt and paste the followign paths into the field to be moved

C:\sysudiq.exe
C:\WINDOWS\system32\rmqgcave.dll
C:\WINDOWS\system32\pttryjxd.dll
C:\WINDOWS\system32\sysdl133.exe
C:\WINDOWS\system32\vtuuvsr.dll
C:\WINDOWS\system32\sysdl132.exe
C:\WINDOWS\system32\khfec.dll
C:\Program Files\Coupons

Click the red Move It button and post the results in your next response.

Along with the OTMoveIt results please post fresh HJT (renamed) and ComboFix logs as well as a WinPFind log if it will run.

33

Sorry it took so long. My computer wouldn’t start up, well the Windows wouldn’t load. It was giving me a message saying operation failed or something of the sort. After freaking out for a day I realized I had to go to last known good configuration. Also, I can’t click on IE on my desktop. Everything will freeze then my screen goes blank, but my computer doesn’t turn off, just the screen goes blank.

WinPFind3 logfile created on: 10/20/2007 8:18:46 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)

191.48 Mb Total Physical Memory | 24.14 Mb Available Physical Memory | 12.61% Memory free
466.86 Mb Paging File | 270.94 Mb Available in Paging File | 58.03% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.64 Gb Total Space | 12.80 Gb Free Space | 46.33% Space Free
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: LAPTOP
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
googletoolbarnotifier.exe → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
jusched.exe → %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
lssrvc.exe → %CommonProgramFiles%\LightScribe\LSSrvc.exe → Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
nmbgmonitor.exe → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
nmindexingservice.exe → %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]
nmindexstoresvr.exe → %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 905216 bytes | Modified Date = 12/23/2006 6:04:42 PM | Attr = ]
superantispyware.exe → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
watchdog.exe → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] → %CommonProgramFiles%\LightScribe\LSSrvc.exe → Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe → Nero AG [Ver = 2, 7, 3, 1 | Size = 774144 bytes | Modified Date = 1/5/2007 1:41:10 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] → %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]

34

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Adobe Reader Speed Launcher → %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe → Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr = ]
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
EPSON Stylus CX5800F Series → %System32%\spool\drivers\w32x86\3\E_FATIALA.EXE → SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 5/9/2005 10:00:00 PM | Attr = ]
NeroFilterCheck → %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe → Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 9/7/2007 6:42:24 PM | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
WatchDog → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Aim6 → → File not found
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
P2kAutostart → %UserDocuments%\P2kCommanderV330\P2kAutostart.exe → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] → %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} [HKLM] → %System32%\vtuuvsr.dll → [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
vtuuvsr → %System32%\vtuuvsr.dll → [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\NoDriveAutoRun → 67108863 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\NoDriveTypeAutoRun → 255 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →

35

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →
< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF →
HKLM: Main\Default_Search_URL → http://www.google.com/ie
HKLM: Local Page → %SystemRoot%\system32\blank.htm →
HKLM: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Start Page → about:blank →
HKLM: CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM: Search\Default_Search_URL → http://www.google.com/ie
HKLM: SearchAssistant → http://www.google.com/ie
HKCU: Local Page → C:\WINDOWS\system32\blank.htm →
HKCU: Search Bar → http://www.google.com/ie
HKCU: Search Page → http://www.google.com
HKCU: Start Page → about:blank →
HKCU: SearchAssistant → http://www.google.com/ie
HKCU: ProxyEnable → 0 →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] → %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] → Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] → %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] → Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 10/31/2006 1:33:52 PM | Attr = ]
{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} [HKLM] → %System32%\vtuuvsr.dll [Reg Data - Value does not exist] → [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] → %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] → %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll [Google Toolbar Notifier BHO] → Google Inc. [Ver = 2, 1, 615, 5858 | Size = 654832 bytes | Modified Date = 8/13/2007 2:15:10 PM | Attr = ]
{F4693D97-15DF-463C-B7B5-A237402E0AED} [HKLM] → %System32%\opnkh.dll [Reg Data - Value does not exist] → [Ver = | Size = 303200 bytes | Modified Date = 10/20/2007 6:28:42 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
WebBrowser\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] → %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] → %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} → Reg Data - Value does not exist [ButtonText: Yahoo! Services] → File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} → Reg Data - Value does not exist [ButtonText: Research] → File not found
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
< Default Protocols [HKLM] - Select to Repair > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Default Protocols [HKCU] - Select to Repair > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
msdaipp → Reg Data - Key not found → File not found
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{17492023-C23A-453E-A040-C7C580BBF700} → Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{193C772A-87BE-4B19-A7BB-445B226FE9A1} → ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} → Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} → Installation Support - CodeBase = C:\Program Files\Yahoo!\Common\Yinsthelper.dll →
{406B5949-7190-4245-91A9-30A17DE16AD0} → Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} → BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} → WUWebControl Class - CodeBase = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
{644E432F-49D3-41A1-8DD5-E099162EEEC5} → Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} → MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
{8AD9C840-044E-11D1-B3E9-00805F499D93} → Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} → Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} → Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} → - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{F137B9BA-89EA-4B04-9C67-2074A9DF61FD} → Photo Upload Plugin Class - CodeBase = http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab? →

36

[Files/Folders - Created Within 30 days]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 200855552 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr = HS]
qoobox → %SystemDrive%\qoobox → [Folder | Created Date = 10/16/2007 9:18:27 AM | Attr = ]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Created Date = 10/16/2007 2:32:40 PM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Created Date = 10/19/2007 10:39:34 AM | Attr = ]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 135168 bytes | Created Date = 10/16/2007 9:15:59 AM | Attr = ]
NirCmd.exe → %SystemRoot%\NirCmd.exe → NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 10/16/2007 9:16:00 AM | Attr = ]
pss → %SystemRoot%\pss → [Folder | Created Date = 10/15/2007 9:23:21 AM | Attr = ]
Thumbs.db → %SystemRoot%\Thumbs.db → [Ver = | Size = 7680 bytes | Created Date = 10/8/2007 11:54:27 AM | Attr = HS]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
uccspecc.sys → %SystemRoot%\uccspecc.sys → [Ver = | Size = 31 bytes | Created Date = 10/3/2007 10:56:00 AM | Attr = H ]
aylcodgp.ini → %System32%\aylcodgp.ini → [Ver = | Size = 693721 bytes | Created Date = 10/15/2007 11:16:02 AM | Attr = HS]
comms2 → %System32%\comms2 → [Folder | Created Date = 10/13/2007 9:20:19 PM | Attr = ]
cpnprt2.cid → %System32%\cpnprt2.cid → Coupons, Inc. [Ver = 1, 0, 5, 0 | Size = 161112 bytes | Created Date = 10/3/2007 10:56:11 AM | Attr = RH ]
extdfugh.ini → %System32%\extdfugh.ini → [Ver = | Size = 693601 bytes | Created Date = 10/15/2007 10:41:28 AM | Attr = HS]
hknpo.bak1 → %System32%\hknpo.bak1 → [Ver = | Size = 6513 bytes | Created Date = 10/20/2007 6:29:08 PM | Attr = HS]
hknpo.ini → %System32%\hknpo.ini → [Ver = | Size = 529 bytes | Created Date = 10/20/2007 6:28:44 PM | Attr = HS]
java.exe → %System32%\java.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javacpl.cpl → %System32%\javacpl.cpl → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaw.exe → %System32%\javaw.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaws.exe → %System32%\javaws.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
mcrh.tmp → %System32%\mcrh.tmp → [Ver = | Size = 143 bytes | Created Date = 10/14/2007 9:02:03 AM | Attr = ]
opnkh.dll → %System32%\opnkh.dll → [Ver = | Size = 303200 bytes | Created Date = 10/20/2007 6:28:35 PM | Attr = ]
pmkli.dll → %System32%\pmkli.dll → [Ver = | Size = 312416 bytes | Created Date = 10/19/2007 1:51:43 PM | Attr = ]
pttryjxd.dllbox → %System32%\pttryjxd.dllbox → [Ver = | Size = 17006 bytes | Created Date = 10/19/2007 8:14:03 AM | Attr = HS]
que1 → %System32%\que1 → [Folder | Created Date = 10/13/2007 9:20:47 PM | Attr = ]
SpoonUninstall.exe → %System32%\SpoonUninstall.exe → [Ver = | Size = 4229496 bytes | Created Date = 10/7/2007 9:31:10 AM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\SpoonUninstall.exe:Zone.Identifier →
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swsc.exe → %System32%\swsc.exe → SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swxcacls.exe → %System32%\swxcacls.exe → SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
tmp.reg → %System32%\tmp.reg → [Ver = | Size = 2244 bytes | Created Date = 10/17/2007 9:48:44 AM | Attr = ]
vosuuyod.ini → %System32%\vosuuyod.ini → [Ver = | Size = 693481 bytes | Created Date = 10/15/2007 10:05:52 AM | Attr = HS]
vtuuvsr.dll → %System32%\vtuuvsr.dll → [Ver = | Size = 33792 bytes | Created Date = 10/17/2007 7:02:17 PM | Attr = ]
eamon.sys → %System32%\drivers\eamon.sys → Eset [Ver = 3,0,0,0 D built by: WinDDK | Size = 33288 bytes | Created Date = 9/21/2007 9:15:26 AM | Attr = ]
easdrv.sys → %System32%\drivers\easdrv.sys → Eset [Ver = 3, 0, 414 RC1 | Size = 25096 bytes | Created Date = 9/21/2007 9:15:52 AM | Attr = ]
epfwtdir.sys → %System32%\drivers\epfwtdir.sys → [Ver = | Size = 28680 bytes | Created Date = 9/21/2007 9:17:14 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
boot.ini → %SystemDrive%\boot.ini → [Ver = | Size = 194 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = HS]
Documents and Settings → %SystemDrive%\Documents and Settings → [Folder | Modified Date = 10/18/2007 8:44:54 PM | Attr = ]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 200855552 bytes | Modified Date = 10/20/2007 8:09:32 PM | Attr = HS]
Program Files → %ProgramFiles% → [Folder | Modified Date = 10/19/2007 9:16:26 AM | Attr = R ]
qoobox → %SystemDrive%\qoobox → [Folder | Modified Date = 10/19/2007 11:04:42 AM | Attr = ]
System Volume Information → %SystemDrive%\System Volume Information → [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = HS]
Temp → %SystemDrive%\Temp → [Folder | Modified Date = 10/14/2007 9:00:08 AM | Attr = ]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Modified Date = 10/16/2007 2:32:42 PM | Attr = ]
WINDOWS → %SystemRoot% → [Folder | Modified Date = 10/19/2007 10:50:52 AM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Modified Date = 10/19/2007 10:39:36 AM | Attr = ]

37

BDOSCAN8 → %SystemRoot%\BDOSCAN8 → [Folder | Modified Date = 10/17/2007 2:15:54 PM | Attr = ]
bootstat.dat → %SystemRoot%\bootstat.dat → [Ver = | Size = 2048 bytes | Modified Date = 10/20/2007 8:09:34 PM | Attr = S]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 135168 bytes | Modified Date = 9/28/2007 9:06:10 AM | Attr = ]
CSC → %SystemRoot%\CSC → [Folder | Modified Date = 10/20/2007 6:54:54 PM | Attr = HS]
Downloaded Program Files → %SystemRoot%\Downloaded Program Files → [Folder | Modified Date = 10/4/2007 3:03:12 PM | Attr = S]
EPISME00.SWB → %SystemRoot%\EPISME00.SWB → [Ver = | Size = 9662 bytes | Modified Date = 10/16/2007 9:49:56 AM | Attr = ]
erdnt → %SystemRoot%\erdnt → [Folder | Modified Date = 9/22/2007 8:46:58 AM | Attr = ]
Help → %SystemRoot%\Help → [Folder | Modified Date = 10/16/2007 9:51:28 AM | Attr = ]
inf → %SystemRoot%\inf → [Folder | Modified Date = 10/15/2007 9:19:54 AM | Attr = H ]
Installer → %SystemRoot%\Installer → [Folder | Modified Date = 10/4/2007 3:03:02 PM | Attr = HS]
NeroDigital.ini → %SystemRoot%\NeroDigital.ini → [Ver = | Size = 69 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = ]
Prefetch → %SystemRoot%\Prefetch → [Folder | Modified Date = 10/20/2007 7:42:32 PM | Attr = ]
pss → %SystemRoot%\pss → [Folder | Modified Date = 10/15/2007 9:25:28 AM | Attr = ]
Registration → %SystemRoot%\Registration → [Folder | Modified Date = 10/13/2007 9:14:48 PM | Attr = ]
system.ini → %SystemRoot%\system.ini → [Ver = | Size = 227 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
system32 → %System32% → [Folder | Modified Date = 10/20/2007 8:19:12 PM | Attr = ]
Tasks → %SystemRoot%\Tasks → [Folder | Modified Date = 10/19/2007 10:51:36 AM | Attr = S]
TEMP → %SystemRoot%\TEMP → [Folder | Modified Date = 10/20/2007 8:17:28 PM | Attr = ]
Thumbs.db → %SystemRoot%\Thumbs.db → [Ver = | Size = 7680 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = HS]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
uccspecc.sys → %SystemRoot%\uccspecc.sys → [Ver = | Size = 31 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr = H ]
win.ini → %SystemRoot%\win.ini → [Ver = | Size = 573 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
WindowsShellOld.Manifest.1 → %SystemRoot%\WindowsShellOld.Manifest.1 → [Ver = | Size = 82 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr = H ]
Norton Security Scan.job → %SystemRoot%\tasks\Norton Security Scan.job → [Ver = | Size = 420 bytes | Modified Date = 10/12/2007 4:44:22 PM | Attr = ]
SA.DAT → %SystemRoot%\tasks\SA.DAT → [Ver = | Size = 6 bytes | Modified Date = 10/20/2007 8:10:30 PM | Attr = H ]
aylcodgp.ini → %System32%\aylcodgp.ini → [Ver = | Size = 693721 bytes | Modified Date = 10/15/2007 4:28:14 PM | Attr = HS]
CatRoot2 → %System32%\CatRoot2 → [Folder | Modified Date = 10/20/2007 8:14:56 PM | Attr = ]
comms2 → %System32%\comms2 → [Folder | Modified Date = 10/13/2007 9:20:48 PM | Attr = ]
cpnprt2.cid → %System32%\cpnprt2.cid → Coupons, Inc. [Ver = 1, 0, 5, 0 | Size = 161112 bytes | Modified Date = 10/3/2007 10:56:14 AM | Attr = RH ]
dllcache → %System32%\dllcache → [Folder | Modified Date = 10/20/2007 8:05:30 PM | Attr = RHS]
drivers → %System32%\drivers → [Folder | Modified Date = 10/19/2007 10:56:34 AM | Attr = ]
extdfugh.ini → %System32%\extdfugh.ini → [Ver = | Size = 693601 bytes | Modified Date = 10/15/2007 11:06:10 AM | Attr = HS]
hknpo.bak1 → %System32%\hknpo.bak1 → [Ver = | Size = 6513 bytes | Modified Date = 10/20/2007 6:29:10 PM | Attr = HS]
hknpo.ini → %System32%\hknpo.ini → [Ver = | Size = 529 bytes | Modified Date = 10/20/2007 8:19:12 PM | Attr = HS]
java.exe → %System32%\java.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:28 PM | Attr = ]
javacpl.cpl → %System32%\javacpl.cpl → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
javaw.exe → %System32%\javaw.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:30 PM | Attr = ]
javaws.exe → %System32%\javaws.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
mcrh.tmp → %System32%\mcrh.tmp → [Ver = | Size = 143 bytes | Modified Date = 10/14/2007 9:02:04 AM | Attr = ]
opnkh.dll → %System32%\opnkh.dll → [Ver = | Size = 303200 bytes | Modified Date = 10/20/2007 6:28:42 PM | Attr = ]
pmkli.dll → %System32%\pmkli.dll → [Ver = | Size = 312416 bytes | Modified Date = 10/19/2007 1:51:50 PM | Attr = ]
pttryjxd.dllbox → %System32%\pttryjxd.dllbox → [Ver = | Size = 17006 bytes | Modified Date = 10/19/2007 12:44:18 PM | Attr = HS]
que1 → %System32%\que1 → [Folder | Modified Date = 10/16/2007 12:58:02 PM | Attr = ]
Restore → %System32%\Restore → [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = ]
SpoonUninstall.exe → %System32%\SpoonUninstall.exe → [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\SpoonUninstall.exe:Zone.Identifier →
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
tmp.reg → %System32%\tmp.reg → [Ver = | Size = 2244 bytes | Modified Date = 10/17/2007 9:59:16 AM | Attr = ]
vosuuyod.ini → %System32%\vosuuyod.ini → [Ver = | Size = 693481 bytes | Modified Date = 10/15/2007 10:37:28 AM | Attr = HS]
vtuuvsr.dll → %System32%\vtuuvsr.dll → [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
wpa.dbl → %System32%\wpa.dbl → [Ver = | Size = 2206 bytes | Modified Date = 10/20/2007 4:11:30 PM | Attr = ]
eamon.sys → %System32%\drivers\eamon.sys → Eset [Ver = 3,0,0,0 D built by: WinDDK | Size = 33288 bytes | Modified Date = 9/21/2007 9:15:26 AM | Attr = ]
easdrv.sys → %System32%\drivers\easdrv.sys → Eset [Ver = 3, 0, 414 RC1 | Size = 25096 bytes | Modified Date = 9/21/2007 9:15:52 AM | Attr = ]
epfwtdir.sys → %System32%\drivers\epfwtdir.sys → [Ver = | Size = 28680 bytes | Modified Date = 9/21/2007 9:17:14 AM | Attr = ]
etc → %System32%\drivers\etc → [Folder | Modified Date = 10/19/2007 10:56:30 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 3:09:50 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\SpoonUninstall.exe:Zone.Identifier →
USERTRUST , → %System32%\SpoonUninstall.exe → [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
UPX! , UPX0 , → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
WSUD , UPX0 , → %System32%\dllcache\hwxjpn.dll → [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]

< End of report >

38

ComboFix 07-10-17.8 - Tara & Paul 2007-10-21 8:42:49.7 - NTFSx86
Script execution time was exceeded on script “C:\ComboFix\osid.vbs”.
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\TryanFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hknpo.bak1
C:\WINDOWS\system32\hknpo.bak1
C:\WINDOWS\system32\hknpo.ini
C:\WINDOWS\system32\hknpo.ini
C:\WINDOWS\system32\opnkh.dll
C:\WINDOWS\system32\pmkli.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-18 20:41 d-------- C:\Program Files\Navilog1
2007-10-17 19:02 33,792 --a------ C:\WINDOWS\system32\vtuuvsr.dll
2007-10-17 09:48 2,244 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 09:38 d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 d-------- C:\VundoFix Backups
2007-10-16 09:51 C:\Documents and Settings\Tara 2007-10-16 09:51 Paul\Application Data\Help
2007-10-16 09:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 09:23 d-------- C:\WINDOWS\pss
2007-10-13 21:20 d-------- C:\WINDOWS\system32\que1
2007-10-13 21:20 d-------- C:\WINDOWS\system32\comms2
2007-10-07 09:31 C:\Documents and Settings\Tara 2007-10-07 09:31 Paul\Application Data\AccurateRip
2007-10-07 09:31 4,229,496 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-07 09:30 d-------- C:\Program Files\Illustrate
2007-10-04 15:00 d-------- C:\Program Files\Java
2007-10-04 14:57 d-------- C:\Program Files\Common Files\Java
2007-10-03 10:56 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-09-27 08:00 d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 C:\Documents and Settings\Tara 2007-09-24 13:18 Paul\Application Data\Yahoo!
2007-09-24 13:10 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 d-------- C:\Program Files\SpywareBlaster
2007-09-21 09:17 28,680 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 09:15 33,288 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 09:15 25,096 --a------ C:\WINDOWS\system32\drivers\easdrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-17 02:26 --------- d-----w C:\Program Files\RogueRemover FREE
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-20 21:33 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-09-20 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.

  • 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-21 15:42:14 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-21 15:50:41 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02 33792 --a------ C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2007-09-07 18:42]
“EPSON Stylus CX5800F Series”=“C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe” [2005-05-09 22:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-09-07 18:42]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“P2kAutostart”=“C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-19 16:29]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]
“Aim6”=“”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
“{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}”= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job”
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 08:52:35
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-21 8:59:15 - machine was rebooted
C:\ComboFix2.txt … 2007-10-19 11:04
C:\ComboFix3.txt … 2007-10-17 10:15
.
— E O F —

39

Logfile of HijackThis v1.99.1
Scan saved at 9:03:09 AM, on 10/21/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\hijacktryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9F017283-6106-4282-BADC-1E3B7B7D3A61} - C:\WINDOWS\system32\tuvus.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

40

I have to be honest with you. The system problems you describe are not a good sign and you have to face the possility that this will lead to a reformat. I’m not giving up yet but you should back up any important data, pictures, etc to play it safe. It would be wise to do this before proceeding any farther.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Files/Folders - Created Within 30 days] NY -> uccspecc.sys -> %SystemRoot%\uccspecc.sys NY -> aylcodgp.ini -> %System32%\aylcodgp.ini NY -> cpnprt2.cid -> %System32%\cpnprt2.cid NY -> extdfugh.ini -> %System32%\extdfugh.ini NY -> hknpo.bak1 -> %System32%\hknpo.bak1 NY -> hknpo.ini -> %System32%\hknpo.ini NY -> mcrh.tmp -> %System32%\mcrh.tmp NY -> opnkh.dll -> %System32%\opnkh.dll NY -> pmkli.dll -> %System32%\pmkli.dll NY -> pttryjxd.dllbox -> %System32%\pttryjxd.dllbox NY -> tmp.reg -> %System32%\tmp.reg NY -> vosuuyod.ini -> %System32%\vosuuyod.ini NY -> vtuuvsr.dll -> %System32%\vtuuvsr.dll

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information in your next response.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

Now open OTMovIt and copy the following into the paths to be moved field

C:\WINDOWS\system32\que1
C:\WINDOWS\system32\comms2
C:\WINDOWS\system32\tuvus.dll

Click the red Move It button and include the results with the WinPFind results.

Next,download ERUNT from here and back up your entire registry

http://www.snapfiles.com/get/erunt.html

Now open Notepad and copy everything within the quote box below into a new document. Make sure there is no space about “REGEDIT4”

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}”=-

Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
In the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop. Right click the fix.reg file and select merge. Accept the warning if it appears.

When that’s finished open HJT and place a check mark next to any of these lines that remain

O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: (no name) - {9F017283-6106-4282-BADC-1E3B7B7D3A61} - C:\WINDOWS\system32\tuvus.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll

Close all other windows, browser included, and click fix checked.

In addition to the WinPFind and OTMoveIt results please give me fresh ComboFix and HJT logs.