Help with removal

melhoff13 · June 2007

I have been working on removing this virs/trojan/spyware/malware for weeks now. I have gotten it to the point where the computer is useable, but I still get pop-ups, security warnings, and occasional internet slow-downs. I've tred about everything I know, so now I ask for help. I have used multiple virus and spyware scanners (AVG, Trend Micro, Adaware, Spybot, etc.). I will attach my current HJT log. I waould appreciate any help. Please let me know what else you need from me.

Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:36:31 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kuclvtfi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\SexyMalia\My Documents\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27394244-52E7-4E16-A71C-B59905EB4B34} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: (no name) - {35ece37d-f7f0-4a05-8ceb-82192e4ad6bb} - C:\WINDOWS\system32\comcct.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: 0 - {8701BF3C-009A-4148-2680-EA441C28F6CA} - (no file)
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - (no file)
O2 - BHO: (no name) - {95081E37-D5D8-AA2F-DB06-8DADAB9720B3} - C:\WINDOWS\system32\dzbyhf.dll
O2 - BHO: (no name) - {9A853E36-4A35-4DBF-9C03-AD9423798E35} - (no file)
O2 - BHO: (no name) - {B84AAACD-5E04-4E8E-A023-8ECA1DEC64A6} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\huagaage.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\qpaovstm.dll",realset
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5024/mcfscan.cab
O20 - Winlogon Notify: byxywuu - byxywuu.dll (file missing)
O20 - Winlogon Notify: comcct - C:\WINDOWS\SYSTEM32\comcct.dll
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O20 - Winlogon Notify: à˜ - à˜ (file missing)
O21 - SSODL: sJLxRkRsnp - {F445E17C-5EEF-4BD6-67BD-EFB8C3B8F390} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4816 bytes

peku006 · June 2007

Hi melhoff13 and welcome to Icrontic I'm checking your log, so please be patient.

peku006 · June 2007

HI melhoff13

I don't see any indication of a Firewall in your HijackThis log.
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Please do the following...
step 1
Please delete any HijackThis Folders and Files you have now. Use Add/Remove Programs and remove HijackThis. What you have now is a Beta Version and isn't ready to use.
You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from here
Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

step 2
Please rename hijackthis.exe to scanner.exe

step 3
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {27394244-52E7-4E16-A71C-B59905EB4B34} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: (no name) - {35ece37d-f7f0-4a05-8ceb-82192e4ad6bb} - C:\WINDOWS\system32\comcct.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - (no file)
O2 - BHO: 0 - {8701BF3C-009A-4148-2680-EA441C28F6CA} - (no file)
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - (no file)
O2 - BHO: (no name) - {95081E37-D5D8-AA2F-DB06-8DADAB9720B3} - C:\WINDOWS\system32\dzbyhf.dll
O2 - BHO: (no name) - {9A853E36-4A35-4DBF-9C03-AD9423798E35} - (no file)
O2 - BHO: (no name) - {B84AAACD-5E04-4E8E-A023-8ECA1DEC64A6} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\huagaage.dll
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\qpaovstm.dll",realset
O20 - Winlogon Notify: byxywuu - byxywuu.dll (file missing)
O20 - Winlogon Notify: comcct - C:\WINDOWS\SYSTEM32\comcct.dll
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O20 - Winlogon Notify: à˜ - à˜ (file missing)
O21 - SSODL: sJLxRkRsnp - {F445E17C-5EEF-4BD6-67BD-EFB8C3B8F390} - (no file)

Close ALL open windows
Click Fix Checked
Close HijackThis

step 4
Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

step 5
Open HijackThis
- Click the Do a system scan and save a logfile button

step 6
Please, post these logs:
C:\vundofix.txt
hjt-log

melhoff13 · June 2007

I did all the above steps. Here are the logs. Thanks for your quick response.

VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 5:40:35 AM 6/4/2007
Listing files found while scanning....
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\fwunlaxq.ini
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\gogvtdmu.ini
C:\WINDOWS\system32\hgmafsmg.dll
C:\WINDOWS\system32\kqwvjppv.ini
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mpwkedry.dll
C:\WINDOWS\system32\mtsvoapq.ini
C:\WINDOWS\system32\qeqrukam.dll
C:\WINDOWS\system32\qpaovstm.dll
C:\WINDOWS\system32\qxalnuwf.dll
C:\WINDOWS\system32\tmp25.tmp.dll
C:\WINDOWS\system32\umdtvgog.dll
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\vppjvwqk.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\yrdekwpm.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cbeeg.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\cbeeg.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fwunlaxq.ini
C:\WINDOWS\system32\fwunlaxq.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\geebc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gogvtdmu.ini
C:\WINDOWS\system32\gogvtdmu.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgmafsmg.dll
C:\WINDOWS\system32\hgmafsmg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kqwvjppv.ini
C:\WINDOWS\system32\kqwvjppv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mpwkedry.dll
C:\WINDOWS\system32\mpwkedry.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mtsvoapq.ini
C:\WINDOWS\system32\mtsvoapq.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\qeqrukam.dll
C:\WINDOWS\system32\qeqrukam.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qpaovstm.dll
C:\WINDOWS\system32\qpaovstm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qxalnuwf.dll
C:\WINDOWS\system32\qxalnuwf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tmp25.tmp.dll
C:\WINDOWS\system32\tmp25.tmp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\umdtvgog.dll
C:\WINDOWS\system32\umdtvgog.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\ututv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vppjvwqk.dll
C:\WINDOWS\system32\vppjvwqk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yrdekwpm.ini
C:\WINDOWS\system32\yrdekwpm.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mpwkedry.dll
C:\WINDOWS\system32\mpwkedry.dll Has been deleted!
Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 6:01:29 AM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

peku006 · June 2007

Hi melhoff13
Good Work!
Where's your firewall?
You can download firewall from
Comodo Free Firewall

Please do the following...

step 1
Please download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.

Print out these instructions or save them with notepad or Word

step 2

Start AVG Anti-Spyware
Click the Update icon
Click Start update
Wait until updates are downloaded

If you are having problems with the updater, you can use this link manually update
Click the Scanner icon
Open the Settings tab
- Make sure that under "How to act?" read Quarantine
- (If not, click the text and choose Quarantine)
- Under "How to scan?" all checkboxes should be ticked
- Under "Reports" select Automatically generate report after every scan
  and uncheck Only if threats were found
- Under "What to scan?" select Scan every file
Click the Shield icon
Under the "Resident shield is" click active to make it inactive
Close AVG Anti-Spyware

Reboot to safe mode

If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on
Start tapping the F8 key
The Windows Advanced Options Menu appears
Ensure that the Safe Mode option is selected
Press Enter. The computer then begins to start in Safe mode
Login on your usual account

Close all open windows / programs / folders
Start AVG Anti-Spyware
Click the Scanner icon
Click Complete System Scan
Let the program scan the machine
When the scan has finished, follow the instructions below
- Make sure that under "Set all elements to" read Quarantine

- (If not, click the text and choose Quarantine)
- Click Apply all actions
- Click Save Report
- Click Save reports as
- Save report to your Desktop

Please download Deckard's System Scanner to your Desktop

* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open Main.txt and extra.txt
step 4
Please, post these logs:
AVG Anti-Spyware
Dss.main.txt
Dss.extra.txt

melhoff13 · June 2007

Here are the logs....

I now have ZoneAlarm installed as well....

AVG Anti-Spyware - Scan Report

+ Created at: 5:29:16 PM 6/4/2007
+ Scan result:

C:\Documents and Settings\SexyMalia\Local Settings\Temp\sltbwlfc.dll -> Logger.VBStat.h : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fcsvtqrc.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fptclram.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fsjohyxe.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kuclvtfi.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nvxbxxnd.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pboemhwa.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sylargtg.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vpaonvga.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wgnjrbsn.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ywempcna.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).

::Report end

Deckard's System Scanner v20070603.47
Run by SexyMalia on 2007-06-04 at 17:35:03
Computer is in Normal Mode.

-- System Restore

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-06-04 22:35:04 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-06-04 17:36:33
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16441)
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\SexyMalia\Desktop\dss.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe

-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

S1 SABKUTIL - c:\program files\superadblocker.com\super ad blocker\sabkutil.sys (file missing)
S2 Rdt37 - c:\windows\system32\rdt37.sys (file missing)
S2 windev-2bf9-1795 - c:\windows\system32\windev-2bf9-1795.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 PID_0928 (Labtec WebCam(PID_0928)) - c:\windows\system32\drivers\lv561av.sys (file missing)
S3 RimUsb (BlackBerry Device) - c:\windows\system32\drivers\rimusb.sys (file missing)
S3 SABProcEnum - c:\program files\superadblocker.com\super ad blocker\sabprocenum.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

S3 SQLAgent$COSSNET8082 - c:\program files\microsoft sql server\mssql$cossnet8082\binn\sqlagent.exe -i cossnet8082 <Not Verified; Microsoft Corporation; Microsoft SQL Server>
S4 MSSQL$COSSNET8082 - c:\program files\microsoft sql server\mssql$cossnet8082\binn\sqlservr.exe -scossnet8082 <Not Verified; Microsoft Corporation; Microsoft SQL Server>
S4 Pml Driver HPZ12 - c:\windows\system32\hpzipm12.exe (file missing)

-- Files created between 2007-05-04 and 2007-06-04

2007-06-04 06:22:14 4212 ---h

C:\WINDOWS\system32\zllictbl.dat
2007-06-04 06:21:23 0 d

C:\WINDOWS\system32\ZoneLabs
2007-06-04 06:20:52 0 d

C:\WINDOWS\Internet Logs
2007-06-04 05:40:35 0 d

C:\VundoFix Backups
2007-06-03 13:07:34 0 d

C:\Program Files\Eusing Free Registry Cleaner
2007-06-03 11:19:57 0 d

C:\Documents and Settings\SexyMalia\Application Data\AVG7
2007-06-03 11:19:26 0 d

C:\Documents and Settings\LocalService\Application Data\AVG7
2007-06-03 11:19:06 0 d

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-06-03 11:19:06 0 d

C:\Documents and Settings\All Users\Application Data\avg7
2007-06-02 23:03:10 0 dr-h

C:\$VAULT$.AVG
2007-05-30 17:35:44 0 d--hs---- C:\$RECYCLE.BIN
2007-05-30 17:14:46 438840 -rahs---- C:\bootmgr
2007-05-30 17:14:46 0 d--hs---- C:\Boot
2007-05-30 17:07:07 0 d

c- C:\WINDOWS\system32\DRVSTORE
2007-05-29 00:11:42 0 d

C:\Program Files\?asks
2007-05-23 23:01:54 0 d

C:\Documents and Settings\SexyMalia\Application Data\DivX
2007-05-23 23:00:17 0 d

C:\Documents and Settings\SexyMalia\Application Data\Ulead Systems
2007-05-23 22:56:38 0 d

C:\Documents and Settings\All Users\Application Data\InterVideo
2007-05-23 22:56:34 204800 --a

C:\WINDOWS\system32\IVIresizeW7.dll
2007-05-23 22:56:34 188416 --a

C:\WINDOWS\system32\IVIresizePX.dll
2007-05-23 22:56:34 192512 --a

C:\WINDOWS\system32\IVIresizeP6.dll
2007-05-23 22:56:34 192512 --a

C:\WINDOWS\system32\IVIresizeM6.dll
2007-05-23 22:56:33 200704 --a

C:\WINDOWS\system32\IVIresizeA6.dll
2007-05-23 22:56:33 20480 --a

C:\WINDOWS\system32\IVIresize.dll
2007-05-23 22:55:20 0 d

C:\Program Files\DivX
2007-05-23 22:54:45 0 d

C:\Program Files\Common Files\LightScribe
2007-05-23 22:50:05 0 d

C:\Program Files\Common Files\Ulead Systems
2007-05-23 22:50:02 0 d

C:\Program Files\Ulead Systems
2007-05-23 22:50:02 0 d

C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-05-23 22:22:17 0 d

C:\Program Files\Common Files\W?nSxS
2007-05-23 17:44:14 1590 --a

C:\WINDOWS\system32\tmp.reg
2007-05-23 17:23:29 0 d

C:\Rustbfix
2007-05-23 07:37:09 0 d

C:\Program Files\Common Files\??sks
2007-05-22 21:22:27 0 d

C:\WINDOWS\system32\LogFiles
2007-05-22 18:18:55 0 d

C:\Program Files\WinAce
2007-05-22 17:47:11 0 d

C:\WINDOWS\system32\SoftwareDistribution
2007-05-22 17:33:27 0 d

C:\Program Files\a?sembly
2007-05-22 17:30:47 0 d

C:\Program Files\Wondershare
2007-05-22 06:33:42 0 d

C:\Program Files\Common Files\Adobe
2007-05-22 06:33:36 0 d

C:\Documents and Settings\All Users\Application Data\Adobe
2007-05-22 06:26:01 0 d

C:\Documents and Settings\SexyMalia\Application Data\AdobeUM
2007-05-20 19:12:27 0 d

C:\Documents and Settings\SexyMalia\Application Data\PlayFirst
2007-05-19 17:51:40 0 d

C:\Documents and Settings\SexyMalia\Application Data\Adobe
2007-05-19 17:16:16 0 d

C:\Documents and Settings\SexyMalia\Application Data\ArcSoft
2007-05-18 18:24:20 0 d

C:\Program Files\Common Files\Java
2007-05-18 18:13:07 0 d

C:\Documents and Settings\SexyMalia\Application Data\Sun
2007-05-18 17:18:54 106658 --a

C:\WINDOWS\cbxusr.dll
2007-05-18 17:09:07 0 d

C:\WinPFind3
2007-05-18 05:46:58 0 d

C:\WINDOWS\system32\Kaspersky Lab
2007-05-17 21:25:24 0 d

C:\Documents and Settings\SexyMalia\Application Data\Macromedia
2007-05-17 17:58:20 1 --a

C:\WINDOWS\system32\ps.dat
2007-05-17 17:58:20 1 --a

C:\WINDOWS\system32\boa.dat
2007-05-17 17:33:10 0 d

C:\Documents and Settings\SexyMalia\Application Data\Lavasoft
2007-05-17 17:20:36 0 d

C:\Documents and Settings\SexyMalia\Application Data\Identities
2007-05-17 17:20:23 0 d--h

C:\Documents and Settings\SexyMalia\Templates
2007-05-17 17:20:23 0 dr

C:\Documents and Settings\SexyMalia\Start Menu
2007-05-17 17:20:23 0 dr-h

C:\Documents and Settings\SexyMalia\SendTo
2007-05-17 17:20:23 0 dr-h

C:\Documents and Settings\SexyMalia\Recent
2007-05-17 17:20:23 0 d--h

C:\Documents and Settings\SexyMalia\PrintHood
2007-05-17 17:20:23 2359296 --ah

C:\Documents and Settings\SexyMalia\NTUSER.DAT
2007-05-17 17:20:23 0 d--h

C:\Documents and Settings\SexyMalia\NetHood
2007-05-17 17:20:23 0 dr

C:\Documents and Settings\SexyMalia\My Documents
2007-05-17 17:20:23 0 d--h

C:\Documents and Settings\SexyMalia\Local Settings
2007-05-17 17:20:23 0 dr

C:\Documents and Settings\SexyMalia\Favorites
2007-05-17 17:20:23 0 d

C:\Documents and Settings\SexyMalia\Desktop
2007-05-17 17:20:23 0 d--hs---- C:\Documents and Settings\SexyMalia\Cookies
2007-05-17 17:20:23 0 dr-h

C:\Documents and Settings\SexyMalia\Application Data
2007-05-08 16:05:11 1 --a

C:\WINDOWS\system32\kr_done1
2007-05-08 15:54:54 932 --a

C:\WINDOWS\system32\winpfz32.sys
2007-05-08 15:53:31 8464 --a

C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2007-05-06 12:08:04 0 d

C:\Program Files\PCPitstop
2007-05-06 11:07:15 0 d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-05 23:18:51 0 d

C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-05-05 12:47:43 0 d

C:\WINDOWS\McAfee.com
2007-05-05 12:14:31 0 d

C:\WINDOWS\system32\smpi1

-- Find3M Report

2007-06-04 06:15:50 0 d

C:\Program Files\Yahoo! Games
2007-06-04 06:14:30 0 d

C:\Program Files\Common Files\Research In Motion
2007-06-03 21:08:46 0 d

C:\Program Files\Microsoft Money 2006
2007-06-03 13:30:37 0 d

C:\Program Files\Common Files\Logitech
2007-06-03 13:24:45 0 d

C:\Program Files\Pinnacle
2007-06-03 13:21:42 0 d

C:\Program Files\Common Files\InstallShield
2007-06-03 13:19:39 0 d--h

C:\Program Files\InstallShield Installation Information
2007-05-18 18:24:56 0 d

C:\Program Files\Java
2007-05-16 23:01:26 0 d--h

C:\Program Files\WindowsUpdate
2007-05-10 05:57:59 0 d

C:\Program Files\eMule
2007-05-10 05:57:35 0 d

C:\Program Files\Elaborate Bytes

-- Registry Dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{9A853E36-4A35-4DBF-9C03-AD9423798E35}"=""
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
"backup"="C:\\WINDOWS\\pss\\Monitor Apache Servers.lnkCommon Startup"
"location"="Common Startup"
"item"="Monitor Apache Servers"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\Service Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI6841~1\\80\\Tools\\Binn\\sqlmangr.exe /n"
"item"="Service Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wmplayer.exe]
"location"="Common Startup"
"item"="wmplayer"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark and Malia^Start Menu^Programs^Startup^FriendFinder Messenger.lnk]
"backup"="C:\\WINDOWS\\pss\\FriendFinder Messenger.lnkStartup"
"location"="Startup"
"item"="FriendFinder Messenger"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark and Malia^Start Menu^Programs^Startup^TA_Start.lnk]
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"item"="TA_Start"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark and Malia^Start Menu^Programs^Startup^Think-Adz.lnk]
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"item"="Think-Adz"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark and Malia^Start Menu^Programs^Startup^Z_Start.lnk]
"backup"="C:\\WINDOWS\\pss\\Z_Start.lnkStartup"
"location"="Startup"
"item"="Z_Start"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1194862116]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EGAMES~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\eGames\\PUZZLE~3\\Register\\EGAMES~1.EXE /r \"C:\\PROGRA~1\\eGames\\PUZZLE~3\\Register\\EGAMES~1.rpd\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKCU"
"command"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvjil"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvjil.dll,startup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vppjvwqk"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\vppjvwqk.dll\",realset"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDrvCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=dword:00000002
"iPodService"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-06-04 at 17:37:30

Deckard's System Scanner v20070603.47
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 1.60GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 511.01 MiB / 282.04 MiB
Pagefile Memory (total/avail): 1249.88 MiB / 1025.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1974.14 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 8.57 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 28.62 GiB total, 14.77 GiB free.

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
FW: ZoneAlarm Firewall v7.0.337.000 (Check Point, LTD.)
AV: AVG 7.5.472 v7.5.472 (GRISOFT)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\DOCUME~1\\SEXYMA~1\\LOCALS~1\\Temp\\win3.tmp.exe"="C:\\DOCUME~1\\SEXYMA~1\\LOCALS~1\\Temp\\win3.tmp.exe:*:Enabled:win3.tmp"
"C:\\WINDOWS\\TEMP\\win39D.tmp.exe"="C:\\WINDOWS\\TEMP\\win39D.tmp.exe:*:Enabled:win39D.tmp"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\TEMP\\winEB.tmp.exe"="C:\\WINDOWS\\TEMP\\winEB.tmp.exe:*:Enabled:winEB.tmp"
"C:\\WINDOWS\\TEMP\\win107.tmp.exe"="C:\\WINDOWS\\TEMP\\win107.tmp.exe:*:Enabled:win107.tmp"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\SexyMalia\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARK-H2IH8WAEW5
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\SexyMalia
LOGONSERVER=\\MARK-H2IH8WAEW5
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\Ulead Systems\MPEG;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SEXYMA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SEXYMA~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=MARK-H2IH8WAEW5
USERNAME=SexyMalia
USERPROFILE=C:\Documents and Settings\SexyMalia
windir=C:\WINDOWS

-- User Profiles

SexyMalia (admin)
Administrator (admin)

-- Add/Remove Programs

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> "C:\Program Files\InstallShield Installation Information\{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}\setup.exe" --u:{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}
--> MsiExec.exe /I{88F9401B-D6C7-4DF9-A927-E4529B143C1E}
--> MsiExec.exe /I{8941046B-CC2F-49C9-990B-A812679C6935}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1500 -->
1500_Help -->
1500Trb -->
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AiO_Scan -->
AiOSoftware -->
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BlackBerry Web Tool for DST 2007 Device Updates --> MsiExec.exe /X{45B914D8-DE1C-4004-9B47-13E013841739}
BufferChm -->
Destinations -->
Director -->
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Fax -->
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
Hoyle Board Games 5 OEM --> C:\WINDOWS\IsUninst.exe -f"f:\Hoyle\SIERRA\Hoyle Board Games 5\Uninst.isu"
Hoyle Card Games 5 OEM --> C:\WINDOWS\IsUninst.exe -f"f:\Hoyle\SIERRA\Hoyle Card Games 5 OEM\Uninst.isu"
Hoyle Casino 6 OEM --> C:\WINDOWS\IsUninst.exe -f"f:\Hoyle\SIERRA\Hoyle Casino 6 OEM\Uninst.isu"
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Express --> MsiExec.exe /X{759524D5-08C9-4E88-8EB3-8D6ECB226C52}
HP Product Assistant -->
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HPSystemDiagnostics -->
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft SQL Server Desktop Engine (COSSNET8082) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mystery Case Files - Prime Suspects (remove only) --> "C:\Program Files\Yahoo! Games\Mystery Case Files - Prime Suspects\Uninstall.exe"
Mystery Case Files - Ravenhearst (remove only) --> "C:\Program Files\Yahoo! Games\Mystery Case Files - Ravenhearst\Uninstall.exe"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
ProductContext -->
Puzzle Master 3 --> C:\PROGRA~1\eGames\PUZZLE~1\UNWISE.EXE C:\PROGRA~1\eGames\PUZZLE~1\INSTALL.LOG
Puzzle Master 4 --> C:\PROGRA~1\eGames\PUZZLE~2\UNWISE.EXE C:\PROGRA~1\eGames\PUZZLE~2\INSTALL.LOG
Puzzle Master 5 --> C:\PROGRA~1\eGames\PUZZLE~3\UNWISE.EXE C:\PROGRA~1\eGames\PUZZLE~3\INSTALL.LOG
QFolder -->
QuickTime -->
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Readme -->
Scan -->
ScannerCopy -->
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TrayApp -->
Ulead DVD MovieFactory 6 TBYB --> C:\Program Files\InstallShield Installation Information\{CCC4E428-411E-4605-B515-317D50ABD477}\setup.exe -runfromtemp -l0x0409
Unload -->
WebFldrs XP -->
WebReg -->
WinAce Archiver --> "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
Zoo Tycoon 2 --> "C:\Program Files\Microsoft Games\Zoo Tycoon 2\UNINSTAL.EXE" /runtemp /uninstall

-- End of Deckard's System Scanner: finished at 2007-06-04 at 17:37:30

peku006 · June 2007

Hi melhoff13
ZoneAlarm

Good Work!

Please do the following

step#1
Please download PurityScan uninstaller Double click on the OiUninstaller.exe icon on your desktop
Click on Run
Enter the four digit code that is displayed and click on Uninstall
Click on Ok and reboot your computer

step#2
Download combofix from one of these links:
Link1
Link2
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

step#3
Please, post
combofix.log

melhoff13 · June 2007

Here is the combo fix log......I had to attach the file because the site said I was not allowed to post links......

peku006 · June 2007

Hi melhoff13
Excellent Work!
Please do the following
Please Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\cbxusr.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\smpi1
C:\windows\system32\rdt37.sys
C:\WINDOWS\system32\winpfz32.sys
C:\windows\system32\windev-2bf9-1795.sys

Folder::
C:\VundoFix Backups

Driver::
Rdt37
windev-2bf9-1795

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]

Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply .

melhoff13 · June 2007

Here is the new log.....

I had to attach it again.....

peku006 · June 2007

:smiles:Hi melhoff13
Good Work!
Everything is good now

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klei
Happy surfing and stay clean!

melhoff13 · June 2007

Thank you for all of your help. Everything seems fine now. I will look into the programs you listed. I use some of them now, but I will pay more attention to HOW I use them in the future. Thanks for everything.

Mark

Help with removal

Comments