Virus... please help

Viruses and worms
41

C:\WINDOWS\system32\que1 moved successfully.
C:\WINDOWS\system32\comms2 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tuvus.dll scheduled to be moved on reboot.

Created on 10/22/2007 13:43:07

WinPFind3U said it had to be restarted, then I got an error message saying Invalid floating point operation. I then restarted and no log popped up. Also got the same error message when I did OTMovIt.

42

When I ran combofix I got an error message saying sed.cfexe has encountered a problem and needs to close. Here is the log:

ComboFix 07-10-17.8 - Tara & Paul 2007-10-22 14:00:12.8 - NTFSx86
Script execution time was exceeded on script “C:\ComboFix\osid.vbs”.
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\TryanFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\evqdnvcu.dll
C:\WINDOWS\system32\lepmqbnt.dll
C:\WINDOWS\system32\suvut.bak1
C:\WINDOWS\system32\suvut.bak1
C:\WINDOWS\system32\suvut.bak2
C:\WINDOWS\system32\suvut.bak2
C:\WINDOWS\system32\suvut.ini
C:\WINDOWS\system32\suvut.ini
C:\WINDOWS\system32\tnbqmpel.ini
C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-18 20:41 d-------- C:\Program Files\Navilog1
2007-10-17 09:38 d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 d-------- C:\VundoFix Backups
2007-10-16 09:51 C:\Documents and Settings\Tara 2007-10-16 09:51 Paul\Application Data\Help
2007-10-07 09:31 C:\Documents and Settings\Tara 2007-10-07 09:31 Paul\Application Data\AccurateRip
2007-10-07 09:30 d-------- C:\Program Files\Illustrate
2007-10-04 15:00 d-------- C:\Program Files\Java
2007-10-04 14:57 d-------- C:\Program Files\Common Files\Java
2007-09-27 08:00 d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 C:\Documents and Settings\Tara 2007-09-24 13:18 Paul\Application Data\Yahoo!
2007-09-24 13:10 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-18 02:02 33,792 ----a-w C:\WINDOWS\system32\vtuuvsr.dll
2007-10-17 02:26 --------- d-----w C:\Program Files\RogueRemover FREE
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-07 16:30 4,229,496 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-21 16:17 28,680 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15 33,288 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15 25,096 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 21:33 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-09-20 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.

  • 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\10-22-2007\ERDNT.EXE
  • 2007-10-22 20:50:15 4,370,432 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users[u]0[/u]0000001\ntuser.dat
  • 2007-10-22 20:50:15 151,552 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users[u]0[/u]0000002\UsrClass.dat
  • 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-22 20:59:28 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-22 21:10:52 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5ec.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02 33792 --a------ C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2007-09-07 18:42]
“EPSON Stylus CX5800F Series”=“C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe” [2005-05-09 22:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-09-07 18:42]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“P2kAutostart”=“C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-19 16:29]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]
“Aim6”=“”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
@=
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Tara & Paul\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
“{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}”= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job”
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 14:12:43
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-22 15:03:04 - machine was rebooted
C:\ComboFix2.txt … 2007-10-21 08:59
C:\ComboFix3.txt … 2007-10-19 11:04
.
— E O F —

43

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:39 PM, on 10/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘Default user’)
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


End of file - 7803 bytes

44

Hi tryan21,

vtuuvsr.dll is a sign of a win trojan gen infection, and maxifiles trojan. More cleansing needs to be done,

polonus

45

We’re not going to worry about the sed.cfexe error at the moment but, as polonus said, we do need to rid your computer of vtuuvsr.dll for good.

  1. Please open Notepad
    Click Start , then Run
    Type notepad .exe in the Run Box and hit Enter.

  2. Now copy/paste the entire contents of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\vtuuvsr.dll

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]

  1. Save the above as CFScript.txt

  2. Drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


http://img132.imageshack.us/img132/9119/cfscriptkv9.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [b]
    Combofix.txt
    A new HijackThis log.
    [b]
46

ComboFix 07-10-17.8 - Tara & Paul 2007-10-22 19:30:53.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.57 [GMT -7:00]
Running from: C:\Documents and Settings\Tara & Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tara & Paul\Desktop\CFScript.txt

  • Created a new restore point

FILE::
C:\WINDOWS\system32\vtuuvsr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtrp.dll
C:\WINDOWS\system32\awtrp.dll
C:\WINDOWS\system32\awtrp.dll
C:\WINDOWS\system32\jokoneur.dll
C:\WINDOWS\system32\pfbilsyr.ini
C:\WINDOWS\system32\prtwa.bak2
C:\WINDOWS\system32\prtwa.ini
C:\WINDOWS\system32\ryslibfp.dll
C:\WINDOWS\system32\vtuuvsr.dll
C:\WINDOWS\system32\vtuuvsr.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-18 20:41 d-------- C:\Program Files\Navilog1
2007-10-17 09:38 d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 d-------- C:\VundoFix Backups
2007-10-16 09:51 C:\Documents and Settings\Tara 2007-10-16 09:51 Paul\Application Data\Help
2007-10-07 09:31 C:\Documents and Settings\Tara 2007-10-07 09:31 Paul\Application Data\AccurateRip
2007-10-07 09:30 d-------- C:\Program Files\Illustrate
2007-10-04 15:00 d-------- C:\Program Files\Java
2007-10-04 14:57 d-------- C:\Program Files\Common Files\Java
2007-09-27 08:00 d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 C:\Documents and Settings\Tara 2007-09-24 13:18 Paul\Application Data\Yahoo!
2007-09-24 13:10 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-17 02:26 --------- d-----w C:\Program Files\RogueRemover FREE
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-21 16:17 28,680 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15 33,288 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15 25,096 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 21:33 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-09-20 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d–h–w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.

  • 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
  • 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\10-22-2007\ERDNT.EXE
  • 2007-10-22 20:50:15 4,370,432 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users[u]0[/u]0000001\ntuser.dat
  • 2007-10-22 20:50:15 151,552 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users[u]0[/u]0000002\UsrClass.dat
  • 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\10-22-2007\ERDNT.EXE
  • 2007-10-22 23:27:48 4,370,432 ----a-w C:\WINDOWS\erdnt\AutoBackup\10-22-2007\Users[u]0[/u]0000001\ntuser.dat
  • 2007-10-22 23:27:50 151,552 ----a-w C:\WINDOWS\erdnt\AutoBackup\10-22-2007\Users[u]0[/u]0000002\UsrClass.dat
  • 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-22\ERDNT.EXE
  • 2007-10-22 21:16:53 4,370,432 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-22\Users[u]0[/u]0000001\ntuser.dat
  • 2007-10-22 21:16:55 151,552 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-22\Users[u]0[/u]0000002\UsrClass.dat
  • 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-23 02:30:19 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
  • 2007-10-23 02:40:39 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_568.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2007-09-07 18:42]
“EPSON Stylus CX5800F Series”=“C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe” [2005-05-09 22:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-09-07 18:42]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“P2kAutostart”=“C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-19 16:29]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]
“Aim6”=“”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
@=
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Tara & Paul\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job”
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 19:41:00
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-22 19:47:27 - machine was rebooted
C:\ComboFix2.txt … 2007-10-22 15:03
C:\ComboFix3.txt … 2007-10-21 08:59
.
— E O F —

47

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:10 PM, on 10/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘Default user’)
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


End of file - 7583 bytes

48

Your most recent logs look much better but this has been very tenacious so I would like to see another WinPFing log.

How is the computer running?

49

THE COMPUTER SEEMS TO BE RUNNING FINE. I HAVEN’T NOTICED ANYTHING UNUSUAL.

WinPFind3 logfile created on: 10/23/2007 9:06:27 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)

191.48 Mb Total Physical Memory | 44.07 Mb Available Physical Memory | 23.02% Memory free
466.86 Mb Paging File | 286.14 Mb Available in Paging File | 61.29% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.64 Gb Total Space | 12.67 Gb Free Space | 45.86% Space Free
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: LAPTOP
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
googletoolbarnotifier.exe → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
jusched.exe → %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
lssrvc.exe → %CommonProgramFiles%\LightScribe\LSSrvc.exe → Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
nmbgmonitor.exe → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
nmindexingservice.exe → %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]
superantispyware.exe → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
watchdog.exe → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] → %CommonProgramFiles%\LightScribe\LSSrvc.exe → Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe → Nero AG [Ver = 2, 7, 3, 1 | Size = 774144 bytes | Modified Date = 1/5/2007 1:41:10 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] → %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]

50

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Adobe Reader Speed Launcher → %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe → Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr = ]
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
EPSON Stylus CX5800F Series → %System32%\spool\drivers\w32x86\3\E_FATIALA.EXE → SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 5/9/2005 10:00:00 PM | Attr = ]
NeroFilterCheck → %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe → Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 9/7/2007 6:42:24 PM | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
WatchDog → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Aim6 → → File not found
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
P2kAutostart → %UserDocuments%\P2kCommanderV330\P2kAutostart.exe → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
< User Startup > → C:\Documents and Settings\Tara & Paul\Start Menu\Programs\Startup →
%UserStartup%\ERUNT AutoBackup.lnk → %ProgramFiles%\ERUNT\AUTOBACK.EXE → [Ver = | Size = 38912 bytes | Modified Date = 10/20/2005 12:04:08 PM | Attr = ]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] → %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\NoDriveAutoRun → 67108863 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\NoDriveTypeAutoRun → 255 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →

51

127.0.0.1 localhost → →
< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF →
HKLM: Main\Default_Search_URL → http://www.google.com/ie
HKLM: Local Page → %SystemRoot%\system32\blank.htm →
HKLM: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Start Page → about:blank →
HKLM: CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM: Search\Default_Search_URL → http://www.google.com/ie
HKLM: SearchAssistant → http://www.google.com/ie
HKCU: Local Page → C:\WINDOWS\system32\blank.htm →
HKCU: Search Bar → http://www.google.com/ie
HKCU: Search Page → http://www.google.com
HKCU: Start Page → about:blank →
HKCU: SearchAssistant → http://www.google.com/ie
HKCU: ProxyEnable → 0 →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] → %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] → Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] → %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] → Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 10/31/2006 1:33:52 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] → %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] → %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll [Google Toolbar Notifier BHO] → Google Inc. [Ver = 2, 1, 615, 5858 | Size = 654832 bytes | Modified Date = 8/13/2007 2:15:10 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
WebBrowser\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] → %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] → %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} → Reg Data - Value does not exist [ButtonText: Yahoo! Services] → File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} → Reg Data - Value does not exist [ButtonText: Research] → File not found
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
< Default Protocols [HKLM] - Select to Repair > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Default Protocols [HKCU] - Select to Repair > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
msdaipp → Reg Data - Key not found → File not found
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{17492023-C23A-453E-A040-C7C580BBF700} → Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{193C772A-87BE-4B19-A7BB-445B226FE9A1} → ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} → Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} → Installation Support - CodeBase = C:\Program Files\Yahoo!\Common\Yinsthelper.dll →
{406B5949-7190-4245-91A9-30A17DE16AD0} → Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} → BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} → WUWebControl Class - CodeBase = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
{644E432F-49D3-41A1-8DD5-E099162EEEC5} → Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} → MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
{8AD9C840-044E-11D1-B3E9-00805F499D93} → Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} → Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} → Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} → - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{F137B9BA-89EA-4B04-9C67-2074A9DF61FD} → Photo Upload Plugin Class - CodeBase = http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab? →

52

[Files/Folders - Created Within 30 days]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 200855552 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr = HS]
qoobox → %SystemDrive%\qoobox → [Folder | Created Date = 10/16/2007 9:18:27 AM | Attr = ]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Created Date = 10/16/2007 2:32:40 PM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Created Date = 10/19/2007 10:39:34 AM | Attr = ]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 135168 bytes | Created Date = 10/16/2007 9:15:59 AM | Attr = ]
NirCmd.exe → %SystemRoot%\NirCmd.exe → NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 10/16/2007 9:16:00 AM | Attr = ]
pss → %SystemRoot%\pss → [Folder | Created Date = 10/15/2007 9:23:21 AM | Attr = ]
Thumbs.db → %SystemRoot%\Thumbs.db → [Ver = | Size = 7680 bytes | Created Date = 10/8/2007 11:54:27 AM | Attr = HS]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
java.exe → %System32%\java.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javacpl.cpl → %System32%\javacpl.cpl → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaw.exe → %System32%\javaw.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaws.exe → %System32%\javaws.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
SpoonUninstall.exe → %System32%\SpoonUninstall.exe → [Ver = | Size = 4229496 bytes | Created Date = 10/7/2007 9:31:10 AM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\SpoonUninstall.exe:Zone.Identifier →
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swsc.exe → %System32%\swsc.exe → SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swxcacls.exe → %System32%\swxcacls.exe → SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
boot.ini → %SystemDrive%\boot.ini → [Ver = | Size = 194 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = HS]
Documents and Settings → %SystemDrive%\Documents and Settings → [Folder | Modified Date = 10/18/2007 8:44:54 PM | Attr = ]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 200855552 bytes | Modified Date = 10/23/2007 8:34:04 AM | Attr = HS]
Program Files → %ProgramFiles% → [Folder | Modified Date = 10/22/2007 1:49:18 PM | Attr = R ]
qoobox → %SystemDrive%\qoobox → [Folder | Modified Date = 10/22/2007 3:03:08 PM | Attr = ]
System Volume Information → %SystemDrive%\System Volume Information → [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = HS]
Temp → %SystemDrive%\Temp → [Folder | Modified Date = 10/22/2007 11:58:34 AM | Attr = ]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Modified Date = 10/16/2007 2:32:42 PM | Attr = ]
WINDOWS → %SystemRoot% → [Folder | Modified Date = 10/22/2007 7:33:50 PM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Modified Date = 10/19/2007 10:39:36 AM | Attr = ]
BDOSCAN8 → %SystemRoot%\BDOSCAN8 → [Folder | Modified Date = 10/17/2007 2:15:54 PM | Attr = ]
bootstat.dat → %SystemRoot%\bootstat.dat → [Ver = | Size = 2048 bytes | Modified Date = 10/23/2007 8:34:06 AM | Attr = S]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 135168 bytes | Modified Date = 9/28/2007 9:06:10 AM | Attr = ]
CSC → %SystemRoot%\CSC → [Folder | Modified Date = 10/22/2007 12:09:22 PM | Attr = HS]
Downloaded Program Files → %SystemRoot%\Downloaded Program Files → [Folder | Modified Date = 10/4/2007 3:03:12 PM | Attr = S]
EPISME00.SWB → %SystemRoot%\EPISME00.SWB → [Ver = | Size = 9662 bytes | Modified Date = 10/16/2007 9:49:56 AM | Attr = ]
erdnt → %SystemRoot%\erdnt → [Folder | Modified Date = 10/22/2007 2:15:28 PM | Attr = ]
Help → %SystemRoot%\Help → [Folder | Modified Date = 10/16/2007 9:51:28 AM | Attr = ]
inf → %SystemRoot%\inf → [Folder | Modified Date = 10/15/2007 9:19:54 AM | Attr = H ]
Installer → %SystemRoot%\Installer → [Folder | Modified Date = 10/4/2007 3:03:02 PM | Attr = HS]
NeroDigital.ini → %SystemRoot%\NeroDigital.ini → [Ver = | Size = 69 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = ]
Prefetch → %SystemRoot%\Prefetch → [Folder | Modified Date = 10/22/2007 7:29:02 PM | Attr = ]
pss → %SystemRoot%\pss → [Folder | Modified Date = 10/15/2007 9:25:28 AM | Attr = ]
Registration → %SystemRoot%\Registration → [Folder | Modified Date = 10/13/2007 9:14:48 PM | Attr = ]
system.ini → %SystemRoot%\system.ini → [Ver = | Size = 227 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
system32 → %System32% → [Folder | Modified Date = 10/22/2007 7:34:50 PM | Attr = ]
Tasks → %SystemRoot%\Tasks → [Folder | Modified Date = 10/22/2007 7:34:40 PM | Attr = S]
TEMP → %SystemRoot%\TEMP → [Folder | Modified Date = 10/23/2007 8:54:18 AM | Attr = ]
Thumbs.db → %SystemRoot%\Thumbs.db → [Ver = | Size = 7680 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = HS]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
win.ini → %SystemRoot%\win.ini → [Ver = | Size = 573 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
WindowsShellOld.Manifest.1 → %SystemRoot%\WindowsShellOld.Manifest.1 → [Ver = | Size = 82 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr = H ]
Norton Security Scan.job → %SystemRoot%\tasks\Norton Security Scan.job → [Ver = | Size = 420 bytes | Modified Date = 10/12/2007 4:44:22 PM | Attr = ]
SA.DAT → %SystemRoot%\tasks\SA.DAT → [Ver = | Size = 6 bytes | Modified Date = 10/23/2007 8:34:32 AM | Attr = H ]
CatRoot2 → %System32%\CatRoot2 → [Folder | Modified Date = 10/22/2007 7:38:48 PM | Attr = ]
dllcache → %System32%\dllcache → [Folder | Modified Date = 10/20/2007 8:05:30 PM | Attr = RHS]
drivers → %System32%\drivers → [Folder | Modified Date = 10/22/2007 7:40:28 PM | Attr = ]
java.exe → %System32%\java.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:28 PM | Attr = ]
javacpl.cpl → %System32%\javacpl.cpl → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
javaw.exe → %System32%\javaw.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:30 PM | Attr = ]
javaws.exe → %System32%\javaws.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
Restore → %System32%\Restore → [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = ]
SpoonUninstall.exe → %System32%\SpoonUninstall.exe → [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\SpoonUninstall.exe:Zone.Identifier →
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
wpa.dbl → %System32%\wpa.dbl → [Ver = | Size = 2206 bytes | Modified Date = 10/22/2007 9:39:02 AM | Attr = ]
etc → %System32%\drivers\etc → [Folder | Modified Date = 10/22/2007 7:40:26 PM | Attr =

53

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes → %SystemRoot%\Thumbs.db:encryptable →
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 3:09:50 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\SpoonUninstall.exe:Zone.Identifier →
USERTRUST , → %System32%\SpoonUninstall.exe → [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
UPX! , UPX0 , → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
WSUD , UPX0 , → %System32%\dllcache\hwxjpn.dll → [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]

< End of report >

54

Your logs, and your computer, are clean. You probably have this routine memorized by now but I’ll post it again just in case.

Open OTMoveIt again and click the Clean Up button. This will remove the tools we’ve used and the backups they made.

Now download and install CleanUp (if you don’t still have it from the last time), rebooting the computer if requested during installation

http://www.stevengould.org/index.php?option=com_content&task=view&id=29&Itemid=72

Open the program and click the Clean Up button in order to remove temporary files, browsing history, etc. It’s a good practice to use this program from time to time as malware can lurk in some of these locations. I usually run this program after every browsing session.

Next we will re-set your restore points to make sure there is no malware hiding there. Then if you need to restore at some stage you will be clean.

  1. Select Start > All Programs > Accessories > System tools > System Restore.
  2. On the dialogue box that appears select Create a Restore Point
  3. Click NEXT
  4. Enter a name e.g. Clean
  5. Click CREATE

You now have a clean restore point; to get rid of the old ones:

  1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C
  3. Click OK
  4. The System will do some calculation and the display a dialogue box with TABS 5. Select the More Options Tab.
  5. At the bottom will be a system restore box with a CLEANUP button click this 7. Accept the Warning and select OK again.

You know this is the third time you’ve had a pretty good dose of Vundo on your computer in the past few months. I think this lastest one might have originated with a downloader sent you (or your brother) in an email. I’m not sure of the source of the other two but it could be a malicious or hacked web site you visit. You might want to turn the web shield up to high and take a look at the sites you do visit. Or could it be your brother on one of those sort of sites you might not have an interest in … ;D

In any event, our work is done :slight_smile:

55

Well, thanks once again. I don’t know what I would do without this forum! :wink:

How would I know if a website is malicious or hacked? I only visit about 5 websites normally (I don’t do much online). The only problem now is that my brother just moved in with us and is ALWAYS on the computer. He just isn’t cautious about anything and will click and dowload everything. :-\

Also, should I install a third party firewall? If yes, which one? And how do I know how to respond to the warnings? :stuck_out_tongue:

56

Hi tryan21,

How would you know. Use scandoo.com as your favorite search engine, all greens are secure. Install DrWeb’s hyperlink av scanner plug-in in your browser of choice, and you can scan a link before downloading if it is clean.
There are a few things you must do once you are completely clean:

  1. Re-hide your System Files and Folders to prevent any future accidents.

    Reconfigure Windows XP to hide hidden files:
    * Click Start. Open My Computer.
    * Select the Tools menu and click Folder Options. Select the View Tab.
    * Under the Hidden files and folders heading deselect “Show hidden files and folders”.
    * Check the “Hide protected operating system files (recommended)” option.
    * Click Yes to confirm. Click OK.

  2. Please download ATF Cleaner by Atribune: http://www.atribune.org/content/view/25/2/
    This program is for XP and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

  3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

    TO DISABLE SYSTEM RESTORE

    1. Right-click “My Computer”, and then left click “Properties”.
    2. Left click on “System Restore Tab”
    3. Check box beside “Turn Off System Restore”
    4. Left click on “Apply”
      Reboot your System

    TO ENABLE SYSTEM RESTORE

    1. Remove check mark from “Turn Off System Restore”
    2. Click on “Apply”

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
* Install ad-aware 2007

* Spywareblaster <= SpywareBlaster will prevent spyware from being installed.

* a-squaredFree as an anti-trojan solution.

An good Firewall program is COMODO + ComodoBoClean 4.25 All programs are free…

Surf secure and stay malware free,

polonus

P.S. and for your brother make a separate account without admin rights (only normal user rights) and with the program safeXP installed (download here: http://www.theorica.net/download.htm ), he can do less harm there.

57

There are risky sites, like porn and warez/crack sites that are reliable sources of infection (not saying those are in your list of 5 - just speaking in general terms). But whatever the sites you visit, if you seem to often have an infection after visiting a particular one be wary of it.

And I agree with Pol - giving you brother a limited account is a good idea.

I’ll cast my vote in favor of Comodo as well, at least until avast! releases the firewall they have in development. After you install it open the interface and click Security>Tasks>Scan for Known Applications. This will build and limit the decisions you need to make. After that a little common sense helps - if you open a program you expect will want an internet connection and Comodo alerts you that it is, click to remember the action and allow it. On the other hand if you’re playing solitaire and out of the blue Comodo tells you some application is trying to connect, you and I need to talk again (after you block it). And of course there’s always the forum if you just can’t figure it out.

Oh, and thank you too. You always bring unique challenges to the forum - challenges that make me improve my abilities and force me to be creative. I know its a pain for you but its a great learning experience for me. :slight_smile:

58

Hi tryan21,

I agree with Keith here. This is the malware cleansing routine to dream about, challenging and instructive, one for the anti malware book. Bad for you, but good for the anti malware fighters (ironic remark),

Damian

59

I installed COMODO firewall and have pretty much been able to figure out the warnings and how to respond. There is one though that I’m not sure about. I get it as soon as I start my computer (everytime) and then at various times when it’s been started for awhile. I haven’t been allowing it although it might be harmless. I just can’t figure out what program it’s comming from.
It says “Generic Host process for Win32 Services is trying to act as server
Application: svchost.exe
Parent: services.exe

60

While I normally don’t like to allow inbound on my computer I have had to do so recently because of a Windows update in August that changes the way Generic Host process for Win32 Services functions. There is a thread on the Comodo forums about this here

http://forums.comodo.com/help/sychostexe-t11762.0.html

(I assume the initiator of the thread simply mistyped svchost as syvhost)

To recap the thread, its ok to allow it on certain ports and a fix is planned for Comodo v3.0 when its released.