Help - Search - Members - Calendar
Full Version: Acer Travelmat 2310 Very Slow And Ie Crashes
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
Mysons
Aug 13 2008, 10:29 AM
banghead.gif

Been trying to figure out what is causing my laptop to run very slow between applications and IE to crash
as soon as it opens - Ran Spyware - ran anti-virus - found some threads but still laptop runs extreamly slow.

It runs perfect in save mode - Please analyse the log and advise if anything should be removed and any other troubleshooting can be done.

Thanks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:06 AM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ERNESTO\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 4886 bytes
HKEd
Aug 13 2008, 06:58 PM
Hi Mysons...nothing malicious showing in the log.

Download Deckard's System Scanner to the desktop (the download link is in the centre, about 2/3rds of the way down the page). Run Dss.exe and post the log it generates.
Mysons
Aug 14 2008, 04:19 PM
Hello HKED,

Thanks for your help and response.
I decided it was easier to reimaged the laptop after i saved everything.
At press time, i'm up and running again. much quicker than before.

Much appreciate your assistance as always !

Cheers!

Mysons
HKEd
Aug 14 2008, 09:18 PM
QUOTE
I decided it was easier to reimaged the laptop after i saved everything.


Smart move. thumb up.gif

You're welcome for the help.
Mysons
Aug 15 2008, 06:34 PM
banghead.gif banghead.gif banghead.gif banghead.gif

Well I spoke too soon.... After a reimage and reload on my Windows XP SP2 and updates..

The laptop now runs slow - can't get on the internet and that nasty AntiVirus 2009 came back -
How can that happen. The Laptop was reimaged from scratch....Now what....

Should I reimage again? I realized I have a drive D: which was not reimaged -Could it be that this
drive is full or virus or spyware. How can that Antivirus 2009 reappear - ..


Man..I lost now... Any suggestions..Please..

Cheers!!
confused.gif
HKEd
Aug 15 2008, 07:31 PM
Download Malwarebytes Anti-Malware to the desktop.
    * Double-click on Download_mbam-setup.exe to install the application.
    * When the installation begins, follow the prompts and do not make any changes to default settings.
    * When installation has finished, make sure you leave both these checked:
    o Update Malwarebytes Anti-Malware
    o Launch Malwarebytes Anti-Malware
    * Then click Finish.
    * MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    * On the Scanner tab:
    o Make sure the "Perform Full Scan" option is selected.
    o Then click on the Scan button.
    * The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
    * The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    * When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    * Click OK to close the message box and continue with the removal process.
    * Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    * Make sure that everything is checked, and click Remove Selected.
    * When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    * The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    * Copy and paste the contents of that report in your next reply along with a fresh HijackThis log.
NB - If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.
Mysons
Aug 15 2008, 10:31 PM
Ran MALWAREBYTES - Attached the log after the DSS Log -


Note: I can't seem to uninstall AVG8(Fee version). Some how this AAntivirus 2008 XP got in the mix and installed on the laptop - I can uninstall t either - Might a trend here...



Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-15 21:55:18
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 1 Restore Point(s) --
1: 2008-08-16 04:37:04 UTC - RP21 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 190 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:01 PM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\Desktop\My Bitcomet Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

O2 - BHO: (no name) - {1A75F101-126E-46A3-97B1-91A96D161C15} - C:\WINDOWS\system32\byXoOGvT.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A829E1FB-4530-46F5-AA35-6A2CA7708EC2} - C:\WINDOWS\system32\awtsQKdC.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: {bfe753be-d049-0dfa-bca4-3d6f6d3742bf} - {fb2473d6-f6d3-4acb-afd0-940deb357efb} - C:\WINDOWS\system32\vzlzbp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll vzlzbp.dll
O20 - Winlogon Notify: byXoOGvT - C:\WINDOWS\SYSTEM32\byXoOGvT.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 4115 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
S2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1039&DEV_6330&SUBSYS_00821025&REV_00\4&13EB4D69&0&0008
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1039&DEV_6330&SUBSYS_00821025&REV_00\4&13EB4D69&0&0008
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-14 11:54:55 392 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-07-15 and 2008-08-15 -----------------------------

2008-08-15 21:59:28 0 d-------- C:\Program Files\Trend Micro
2008-08-15 21:50:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-15 21:50:13 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 21:50:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 21:38:28 0 d-------- C:\WINDOWS\CSC
2008-08-15 20:58:44 94208 --a------ C:\WINDOWS\system32\pphc3k2j0ea6r.exe
2008-08-15 20:58:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r
2008-08-15 20:58:17 0 d-------- C:\Program Files\rhc7k2j0ea6r
2008-08-15 20:47:13 107008 --a------ C:\WINDOWS\system32\vzlzbp.dll
2008-08-15 20:47:10 107008 --a------ C:\WINDOWS\system32\ercjamul.dll
2008-08-15 20:44:11 84480 --a------ C:\WINDOWS\system32\amdlmlfs.dll
2008-08-15 20:41:27 70144 --a------ C:\WINDOWS\system32\blphc3k2j0ea6r.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-08-15 20:41:11 145408 --a------ C:\WINDOWS\system32\lphc3k2j0ea6r.exe
2008-08-15 20:35:13 92672 --a------ C:\WINDOWS\system32\kvhxahhy.dll
2008-08-15 19:29:16 0 d-------- C:\Program Files\CONEXANT
2008-08-15 19:29:10 0 d-------- C:\Program Files\Atheros
2008-08-15 14:47:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-08-15 13:14:58 0 d-------- C:\Program Files\Citrix
2008-08-14 18:34:05 0 d-------- C:\Program Files\Atheros(2)
2008-08-14 17:51:58 0 d-------- C:\Documents and Settings\Administrator\UserData
2008-08-14 16:59:24 0 d-------- C:\WINDOWS\pss
2008-08-14 15:26:51 545094 --ahs---- C:\WINDOWS\system32\CdKQstwa.ini2
2008-08-14 15:26:41 251392 --a------ C:\WINDOWS\system32\awtsQKdC.dll
2008-08-14 15:22:08 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-14 15:21:17 38912 --a------ C:\WINDOWS\system32\qoMccDtU.dll
2008-08-14 15:21:10 38912 --a------ C:\WINDOWS\system32\byXoOGvT.dll
2008-08-14 15:16:25 0 d-------- C:\Downloads
2008-08-14 15:07:29 0 d-------- C:\Program Files\BitComet
2008-08-14 15:06:32 36864 --a------ C:\WINDOWS\system32\acs.exe
2008-08-14 15:06:13 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2008-08-14 15:06:02 192512 --a------ C:\WINDOWS\system32\AegisI5.exe <Not Verified; ; AegisInstall Application>
2008-08-14 15:06:01 217088 --a------ C:\WINDOWS\system32\wgapi.dll <Not Verified; Atheros; Atheros GUI API Library>
2008-08-14 15:06:01 229376 --a------ C:\WINDOWS\system32\wcapi.dll <Not Verified; Atheros; Atheros Client API Library>
2008-08-14 15:06:01 73728 --a------ C:\WINDOWS\system32\athcfg11res.dll <Not Verified; Atheros Communications, Inc.; Atheros Configuration API Res Dynamic Link Library>
2008-08-14 15:06:01 356352 --a------ C:\WINDOWS\system32\athcfg11.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library>
2008-08-14 15:06:01 1396830 --a------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2008-08-14 14:54:41 0 d-------- C:\temp
2008-08-14 12:35:48 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 12:35:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-08-14 12:35:33 0 d-------- C:\Program Files\AVG
2008-08-14 12:35:31 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 12:18:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-08-14 12:15:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-14 12:15:27 0 d-------- C:\Program Files\Nero
2008-08-14 12:15:27 0 d-------- C:\Program Files\Common Files\Ahead
2008-08-14 12:05:41 0 d-------- C:\Program Files\Google
2008-08-14 12:03:11 0 d-------- C:\Program Files\CyberLink
2008-08-14 11:55:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-08-14 11:55:22 0 d-------- C:\Program Files\Lavasoft
2008-08-14 11:54:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-08-14 11:54:29 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-14 11:54:20 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-14 11:53:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 11:50:54 0 d-------- C:\Program Files\Realtek Sound Manager
2008-08-14 11:50:52 0 d-------- C:\Program Files\AvRack
2008-08-14 11:50:47 1240 -----n--- C:\WINDOWS\system32\drivers\alcxinit.dat
2008-08-14 11:50:40 192512 -----n--- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-08-14 11:49:34 0 d-------- C:\Program Files\Phoenix Technologies Ltd
2008-08-14 11:49:28 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-08-14 11:48:37 0 d-------- C:\WINDOWS\SiS
2008-08-14 11:48:36 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-08-14 11:43:54 40960 -----n--- C:\WINDOWS\system32\ChCfg.exe
2008-08-14 11:42:47 0 d-------- C:\Program Files\Realtek AC97
2008-08-14 11:42:39 294912 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-08-14 11:42:39 200704 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-08-14 11:42:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-14 11:42:18 0 d-------- C:\Program Files\Common Files\InstallShield
2008-08-14 11:18:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-08-14 11:17:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-08-14 11:17:05 0 d-------- C:\Program Files\Common Files\Adobe
2008-08-14 11:14:58 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-08-14 11:14:37 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-08-14 11:12:41 0 d-------- C:\Program Files\Microsoft.NET
2008-08-14 11:12:26 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-08-14 11:11:17 0 d-------- C:\WINDOWS\SHELLNEW
2008-08-14 11:06:53 0 dr-h----- C:\MSOCache
2008-08-14 11:02:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-08-14 11:02:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-14 11:02:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-14 11:02:02 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-14 11:02:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-14 11:02:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-14 11:02:02 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-08-14 11:02:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-14 11:02:02 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-08-14 11:02:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-14 11:02:02 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-14 11:02:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-14 11:02:01 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-14 11:02:01 1048576 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-14 11:01:49 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-08-14 11:01:48 0 d-------- C:\WINDOWS\Prefetch
2008-08-14 11:01:47 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-08-14 11:01:46 229376 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2008-08-14 11:01:46 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-08-14 11:01:46 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-08-14 11:01:46 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-08-14 11:01:46 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-08-14 11:00:45 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-08-14 11:00:45 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-08-14 11:00:45 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-08-14 11:00:45 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-08-14 11:00:44 225280 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-08-14 10:55:08 0 d-------- C:\WINDOWS\system32\xircom
2008-08-14 10:55:08 0 d-------- C:\Program Files\microsoft frontpage
2008-08-14 10:54:48 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-08-14 10:54:33 0 -rahs---- C:\MSDOS.SYS
2008-08-14 10:54:33 0 -rahs---- C:\IO.SYS
2008-08-14 10:54:33 0 --a------ C:\CONFIG.SYS
2008-08-14 10:54:33 0 --a------ C:\AUTOEXEC.BAT
2008-08-14 10:52:50 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-08-14 10:52:32 0 dr------- C:\WINDOWS\Offline Web Pages
2008-08-14 10:52:32 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-08-14 10:52:15 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-14 10:51:47 0 d-------- C:\WINDOWS\system32\DirectX
2008-08-14 10:51:14 0 d---s---- C:\WINDOWS\Tasks
2008-08-14 10:51:13 0 d-------- C:\Program Files\Common Files\MSSoap
2008-08-14 10:51:10 0 d-------- C:\WINDOWS\srchasst
2008-08-14 10:51:09 0 d-------- C:\WINDOWS\system32\Macromed
2008-08-14 10:51:01 0 d-------- C:\Program Files\Movie Maker
2008-08-14 10:50:54 0 d-------- C:\WINDOWS\system32\Restore
2008-08-14 10:49:57 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-08-14 10:49:34 0 d-------- C:\WINDOWS\Registration
2008-08-14 10:49:22 0 d-------- C:\Program Files\Online Services
2008-08-14 10:49:13 0 d-------- C:\Program Files\Messenger
2008-08-14 10:49:09 0 d-------- C:\Program Files\MSN Gaming Zone
2008-08-14 10:48:32 0 d-------- C:\Program Files\Windows NT
2008-08-14 10:48:29 0 d-------- C:\WINDOWS\system32\MsDtc
2008-08-14 10:48:27 0 d-------- C:\WINDOWS\system32\Com
2008-08-14 03:41:15 0 d--hs---- C:\WINDOWS\Installer
2008-08-14 03:41:14 0 d-------- C:\Program Files\Common Files\ODBC
2008-08-14 03:41:10 0 dr------- C:\Program Files
2008-08-14 03:41:10 0 d-------- C:\Program Files\Common Files
2008-08-14 03:41:10 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-08-14 03:40:39 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-08-14 03:40:39 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-08-14 03:40:39 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-08-14 03:40:39 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-08-14 03:40:39 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-08-14 03:40:39 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-08-14 03:40:39 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-08-14 03:40:39 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-08-14 03:40:39 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-08-14 03:40:39 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-08-14 03:40:39 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-08-14 03:40:39 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-08-14 03:40:39 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-08-14 03:40:39 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-08-14 03:40:39 0 dr------- C:\Documents and Settings\All Users\Documents
2008-08-14 03:40:39 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-08-14 03:40:25 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-08-14 03:40:25 0 d-------- C:\WINDOWS\system32\CatRoot
2008-08-14 03:40:19 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-08-14 03:40:19 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-08-14 03:40:19 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-08-14 03:40:19 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-14 03:39:50 0 d--hs---- C:\System Volume Information
2008-08-14 03:39:50 0 d-------- C:\Documents and Settings
2008-08-14 03:34:34 0 d-------- C:\WINDOWS
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\WinSxS
2008-08-14 03:34:34 0 dr------- C:\WINDOWS\Web
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\twain_32
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\wins
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\wbem
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\usmt
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\spool
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\ShellExt
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\Setup
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\ras
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\oobe
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\npp
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\mui
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\inetsrv
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\IME
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\icsxml
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\ias
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\export
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\drivers
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-08-14 03:34:34 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\dhcp
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\config
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\3076
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\2052
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1054
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1042
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1041
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1037
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1033
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1031
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1028
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system32\1025
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\system
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\security
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Resources
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\repair
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Provisioning
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\PeerNet
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\pchealth
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\mui
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\msapps
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\msagent
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Media
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\java
2008-08-14 03:34:34 0 d--h----- C:\WINDOWS\inf
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\ime
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Help
2008-08-14 03:34:34 0 dr--s---- C:\WINDOWS\Fonts
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\ehome
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Driver Cache
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Debug
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Cursors
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Connection Wizard
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\Config
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\AppPatch
2008-08-14 03:34:34 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-08-14 03:40:39 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A75F101-126E-46A3-97B1-91A96D161C15}]
08/14/2008 03:21 PM 38912 --a------ C:\WINDOWS\system32\byXoOGvT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
08/14/2008 12:35 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A829E1FB-4530-46F5-AA35-6A2CA7708EC2}]
08/14/2008 03:26 PM 251392 --a------ C:\WINDOWS\system32\awtsQKdC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fb2473d6-f6d3-4acb-afd0-940deb357efb}]
08/15/2008 08:47 PM 107008 --a------ C:\WINDOWS\system32\vzlzbp.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [08/14/2008 12:35 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/03/2004 06:07 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1A75F101-126E-46A3-97B1-91A96D161C15}"= C:\WINDOWS\system32\byXoOGvT.dll [08/14/2008 03:21 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXoOGvT]
byXoOGvT.dll 08/14/2008 03:21 PM 38912 C:\WINDOWS\system32\byXoOGvT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll vzlzbp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtsQKdC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
"C:\Program Files\Atheros\ACU.exe" -nogui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b455039f]
rundll32.exe "C:\WINDOWS\system32\amdlmlfs.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMb7663003]
Rundll32.exe "C:\WINDOWS\system32\kvhxahhy.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc3k2j0ea6r]
C:\WINDOWS\system32\lphc3k2j0ea6r.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhc7k2j0ea6r]
C:\Program Files\rhc7k2j0ea6r\rhc7k2j0ea6r.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - MBAMSWISSARMY
*Newly Created Service* - PARPORT



-- End of Deckard's System Scanner: finished at 2008-08-15 22:03:36 ------------




Malwarebytes' Anti-Malware 1.24
Database version: 1056
Windows 5.1.2600 Service Pack 2

10:30:11 PM 8/15/2008
mbam-log-8-15-2008 (22-30-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 61596
Time elapsed: 32 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 19
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 13
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtsQKdC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vzlzbp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\byXoOGvT.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a829e1fb-4530-46f5-aa35-6a2ca7708ec2} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a829e1fb-4530-46f5-aa35-6a2ca7708ec2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fb2473d6-f6d3-4acb-afd0-940deb357efb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fb2473d6-f6d3-4acb-afd0-940deb357efb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1a75f101-126e-46a3-97b1-91a96d161c15} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1a75f101-126e-46a3-97b1-91a96d161c15} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc7k2j0ea6r (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc7k2j0ea6r (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxoogvt (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1a75f101-126e-46a3-97b1-91a96d161c15} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtsqkdc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtsqkdc -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhc7k2j0ea6r (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\awtsQKdC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\CdKQstwa.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\CdKQstwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vzlzbp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\amdlmlfs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sflmldma.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXoOGvT.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\ercjamul.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kvhxahhy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\rhc7k2j0ea6r.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\rhc7k2j0ea6r.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7k2j0ea6r\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMccDtU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMb7663003.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMb7663003.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc3k2j0ea6r.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc3k2j0ea6r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc3k2j0ea6r.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc3k2j0ea6r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
HKEd
Aug 15 2008, 11:30 PM
That's a badly infected computer. MBAM didn't remove all of the malware files, so we'll finish it manually.

You also disabled some malware startups using Msconfig. Best not to in future as it makes the cleanup more difficult.

Run HijackThis and click on 'Do a system scan only'. Put checks in the boxes next to these lines:

O2 - BHO: (no name) - {1A75F101-126E-46A3-97B1-91A96D161C15} - C:\WINDOWS\system32\byXoOGvT.dll

O2 - BHO: (no name) - {A829E1FB-4530-46F5-AA35-6A2CA7708EC2} - C:\WINDOWS\system32\awtsQKdC.dll

O2 - BHO: {bfe753be-d049-0dfa-bca4-3d6f6d3742bf} - {fb2473d6-f6d3-4acb-afd0-940deb357efb} - C:\WINDOWS\system32\vzlzbp.dll

O20 - AppInit_DLLs: avgrsstx.dll vzlzbp.dll

O20 - Winlogon Notify: byXoOGvT - C:\WINDOWS\SYSTEM32\byXoOGvT.dll

Click on 'Fix checked' and exit HijackThis.

Download The Avenger and unzip it to the desktop. Run Avenger.exe and copy/paste the contents of the Code box below to the section under 'Input script here':

CODE
Files to delete:
C:\WINDOWS\system32\pphc3k2j0ea6r.exe
C:\WINDOWS\system32\vzlzbp.dll
C:\WINDOWS\system32\ercjamul.dll
C:\WINDOWS\system32\amdlmlfs.dll
C:\WINDOWS\system32\blphc3k2j0ea6r.scr
C:\WINDOWS\system32\lphc3k2j0ea6r.exe
C:\WINDOWS\system32\kvhxahhy.dll
C:\WINDOWS\system32\CdKQstwa.ini2
C:\WINDOWS\system32\awtsQKdC.dll
C:\WINDOWS\system32\qoMccDtU.dll
C:\WINDOWS\system32\byXoOGvT.dll

Folders to delete:
C:\Documents and Settings\Administrator\Application Data\rhc7k2j0ea6r
C:\Program Files\rhc7k2j0ea6r


Click on Execute and reboot when prompted.

Post the Avenger log (C:\Avenger.txt) and a fresh Deckard's log.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.