Spybot's able to find the registry changes and identify the virus itself as Virtumonde, but seems unable to remove it. I need


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:48 AM, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Documents and Settings\Ayona Simmons\Application Data\gadcom\gadcom.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firefox.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [XP Antispyware 2009] "C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe" /hide
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\ers_startupmon.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\dc6_startupmon.exe"
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [001bd995] rundll32.exe "C:\WINDOWS\system32\wslympms.dll",b
O4 - HKLM\..\RunOnce: [symPCCheckup] "C:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe" /reboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [DefaultNurb] C:\DOCUME~1\AYONAS~1\APPLIC~1\PROXYP~1\Settingspollpoke.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Ayona Simmons\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O20 - AppInit_DLLs: karna.dat aivjed.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9722 bytes

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------



REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

ares

Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the log from ComboFix when you've accomplished that.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
MalwareBytes Log
How are things running now ?

One of the steps in running ComboFix is: "You should now install the Windows Recovery Console." and i gives the following directions

"If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions: "

in which it gives this link http://support.microsoft.com/kb/310994

However the instruction giving by said links requires the user to be able to "start your computer from a floppy disk drive."

however i don't have a floppy disk drive because i use a laptop will this alter my result

Thank you for your response. I really appreciate you taking the time to help me Katana. Here is the information you requested.

* Combofix Log


ComboFix 08-12-06.06 - Ayona Simmons 2008-12-07 9:27:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.190 [GMT -5:00]
Running from: c:\documents and settings\Ayona Simmons\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ayona Simmons\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Ayona Simmons\Application Data\gadcom
c:\documents and settings\Ayona Simmons\Application Data\gadcom\gadcom.exe
c:\documents and settings\Ayona Simmons\Application Data\gadcom\gadcom.exe5a
c:\documents and settings\Ayona Simmons\Application Data\GetModule
c:\documents and settings\Ayona Simmons\Application Data\GetModule\dicik.gz
c:\documents and settings\Ayona Simmons\Application Data\GetModule\kwdik.gz
c:\documents and settings\Ayona Simmons\Application Data\GetModule\ofadik.gz
c:\documents and settings\Ayona Simmons\Cookies\avupuluv.bat
c:\documents and settings\Ayona Simmons\Cookies\nako._sy
c:\documents and settings\Ayona Simmons\Cookies\ypebym.dat
c:\documents and settings\Ayona Simmons\Cookies\ytaz.sys
c:\documents and settings\Ayona Simmons\err.log
c:\documents and settings\Ayona Simmons\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetModule\GetModule30.exe
c:\program files\GetModule\GetModule31.exe
c:\windows\aycffe.ini
c:\windows\ijjmpo.ini
c:\windows\lmlonn.ini
c:\windows\ppqqpo.ini
c:\windows\system32\~.exe
c:\windows\system32\aivjed.dll
c:\windows\system32\bubwksae.dll
c:\windows\system32\cksbww.dll
c:\windows\system32\easkwbub.ini
c:\windows\system32\hvxukwqn.dll
c:\windows\system32\ieajriiq.ini
c:\windows\system32\khfETkJc.dll
c:\windows\system32\KRAbHRqr.ini
c:\windows\system32\KRAbHRqr.ini2
c:\windows\system32\lzdjba.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mzimhv.dll
c:\windows\system32\nqwkuxvh.ini
c:\windows\system32\qaxrok.dll
c:\windows\system32\rqRHbARK.dll
c:\windows\system32\rqRHbARK.dll_old
c:\windows\system32\sbehbyxr.dll
c:\windows\system32\smpmylsw.ini
c:\windows\system32\thkyvxyl.dll
c:\windows\system32\tlzmssgatwnnoufgh.dll
c:\windows\system32\tmp1A1.tmp.dll
c:\windows\system32\tmpC5.tmp.dll
c:\windows\system32\uoxlymlc.dll
c:\windows\system32\urqPHaAQ.dll
c:\windows\system32\viucgaby.dll
c:\windows\system32\wpv161228549770.cpx
c:\windows\system32\wpv581228549885.cpx
c:\windows\system32\yxbvymxn.dll
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 11:07 . 2008-12-07 18:46 102,176 --a------ c:\windows\system32\cont_globaladsolution-remove.exe
2008-12-07 11:06 . 2008-12-07 11:06 <DIR> d-------- c:\program files\GrandPack
2008-12-07 11:06 . 2008-12-07 11:06 47,596 --a------ c:\windows\system32\qvnuiewldd.exe
2008-12-07 10:53 . 2008-12-07 10:53 34,816 --a------ c:\windows\system32\geBuUkhi.dll
2008-12-06 11:05 . 2008-12-06 11:05 34,816 --a------ c:\windows\system32\nnnlkHbb.dll
2008-12-05 01:08 . 2008-12-05 01:08 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 12:34 . 2008-12-02 12:34 672,768 --a------ c:\windows\system32\nsn3F5.dll
2008-11-24 23:32 . 2008-11-24 23:32 <DIR> d-------- c:\program files\EA GAMES
2008-11-21 16:47 . 2008-11-24 23:18 445,504 --a------ c:\windows\system32\vp6vfw.dll
2008-11-20 22:57 . 2008-10-03 12:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-20 22:57 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-20 22:57 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-20 22:57 . 2008-08-26 02:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-20 22:57 . 2008-08-26 02:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-20 22:57 . 2008-08-26 02:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-20 22:57 . 2008-08-26 02:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-20 22:57 . 2008-08-26 02:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-20 22:57 . 2008-08-25 03:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-20 21:56 . 2008-11-20 21:57 <DIR> d-------- c:\windows\system32\Adobe
2008-11-12 19:30 . 2008-11-12 19:30 335 --a------ c:\windows\mozregistry.dat
2008-11-12 16:54 . 2008-11-12 16:54 13,203 --a------ c:\windows\system32\ywawy.dat
2008-11-12 16:54 . 2008-11-12 16:54 10,948 --a------ c:\windows\qonigabur.db
2008-11-11 20:12 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:12 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 03:22 --------- d-----w c:\program files\SpiralFrog
2008-12-05 05:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-21 08:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 08:12 --------- d-----w c:\program files\Microsoft Works
2008-11-21 01:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 21:13 8,864 ----a-w c:\windows\system32\drivers\CDAC15BA.SYS
2008-10-24 21:13 39,936 ----a-w c:\windows\system32\drivers\CDAC11BA.EXE
2008-10-24 21:13 30,720 ---h--r c:\windows\CdaC13BA.EXE
2008-10-24 21:13 112,128 ---h--r c:\windows\CdaC14BA.DLL
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:50 39,424 ----a-w c:\documents and settings\Ayona Simmons\xrt_ksfe.exe
2008-10-20 01:44 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-20 01:37 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-20 01:37 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-19 22:05 --------- d-----w c:\program files\Windows Installer Clean Up
2008-10-19 21:46 --------- d-----w c:\program files\Symantec
2008-10-19 21:46 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-19 21:46 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-19 21:45 --------- d-----w c:\program files\Windows Defender
2008-10-19 21:44 --------- d-----w c:\program files\LimeWire
2008-10-19 21:44 --------- d-----w c:\program files\iMesh Applications
2008-10-19 05:12 --------- d-----w c:\program files\MSECACHE
2008-10-18 08:48 --------- d-----w c:\program files\DivX
2008-10-18 07:38 --------- d-----w c:\program files\2Wire
2008-10-18 07:19 --------- d-----w c:\program files\Azada
2008-10-18 07:11 --------- d-----w c:\program files\AIMTunes
2008-10-18 07:11 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-10-18 07:11 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-18 07:09 --------- d-----w c:\program files\Shockwave.com
2008-10-18 07:05 --------- d-----w c:\program files\Viewpoint
2008-10-18 07:05 --------- d-----w c:\program files\Indiana University
2008-10-18 07:05 --------- d-----w c:\documents and settings\Ayona Simmons\Application Data\Viewpoint
2008-10-18 07:05 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-10-18 07:04 --------- d-----w c:\program files\Real
2008-10-18 07:04 --------- d-----w c:\program files\Lavasoft
2008-10-18 07:04 --------- d-----w c:\program files\Common Files\AOL
2008-10-18 07:04 --------- d-----w c:\program files\Apple Software Update
2008-10-18 07:04 --------- d-----w c:\documents and settings\Ayona Simmons\Application Data\Lavasoft
2008-10-18 07:04 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-18 06:57 --------- d-----w c:\program files\Veoh Networks(2)
2008-10-18 06:21 --------- d-----w c:\program files\Veoh Networks(3)
2008-10-18 02:52 --------- d--h--w c:\documents and settings\Ayona Simmons\Application Data\Move Networks
2008-10-15 05:50 --------- d-----w c:\documents and settings\All Users\Application Data\391A5
2008-10-14 23:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-14 23:16 --------- d-----w c:\documents and settings\All Users\Application Data\Gogii
2008-10-14 16:40 --------- d-----w c:\documents and settings\All Users\Application Data\222CE
2008-10-13 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\1C19A
2008-09-27 19:31 1,044 -c--a-w c:\documents and settings\Ayona Simmons\Application Data\wklnhst.dat
2008-08-27 06:35 0 -c--a-w c:\program files\temp01
2007-07-20 05:50 378 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb1942.dat
2007-07-20 05:33 20,480 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb6296.dat
2007-07-20 05:33 151 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb2583.dat
2007-07-20 05:33 13,046 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb440.dat
2007-07-20 05:33 0 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb3435.dat
2007-07-20 05:30 0 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb9438.dat
2007-07-20 05:30 0 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb7968.dat
2007-07-20 05:30 0 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb3924.dat
2007-07-20 05:30 0 -c--a-w c:\documents and settings\LocalService\Application Data\internaldb1018.dat
2006-11-15 10:11 0 -c--a-w c:\program files\Common Files\err.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{305ebde7-96ac-4e8c-4395-ce84ce7e1e75}]
2008-12-02 12:34 672768 --a------ c:\windows\system32\nsn3F5.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BA8988-33E1-4c89-A150-BF428E8D3213}]
2008-12-05 14:16 133120 --a------ c:\program files\GrandPack\GrandPack.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2007-10-15 163128]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-07 176128]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 671744]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-12-27 c:\windows\system32\TDispVol.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 c:\windows\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"symPCCheckup"="c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe" [2008-11-20 234872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"Appinit_dlls"=karna.dat lzdjba.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-25 24652]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-12-29 26488]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-10-20 c:\windows\Tasks\B19A4DD2933DC162.job
- c:\docume~1\ayonas~1\applic~1\proxyp~1\Rdr start dent.exe []

2008-12-08 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe [2008-11-20 21:57]

2008-10-20 c:\windows\Tasks\User_Feed_Synchronization-{7BC18AE3-BFDC-4CD6-A6D1-339D22AE873B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0706b1b2-2a34-42b9-9d22-fc74f9ffd1ba} - c:\windows\system32\lzdjba.dll
BHO-{7279BCCF-D8BC-D53C-69C5-4DE7944779DD} - c:\windows\system32\tlzmssgatwnnoufgh.dll
BHO-{D4CB0491-75AC-48C4-8C74-084EEAF07254} - c:\windows\system32\rqRHbARK.dll
HKCU-Run-DefaultNurb - c:\docume~1\AYONAS~1\APPLIC~1\PROXYP~1\Settingspollpoke.exe
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKCU-Run-GetModule30 - c:\program files\GetModule\GetModule30.exe
HKCU-Run-GetModule31 - c:\program files\GetModule\GetModule31.exe
HKLM-Run-XP Antispyware 2009 - c:\program files\XP_AntiSpyware\XP_AntiSpyware.exe
HKLM-Run-ERS_check - c:\program files\Common Files\ers_startupmon.exe
Notify-mousifs - mousifs.dll
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://firefox.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Ayona Simmons\Application Data\Mozilla\Firefox\Profiles\du5fuf7f.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\GoBit Games\BrowserPlugin\npgobitgamesplugin.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 09:39:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\imapi.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-12-07 21:46:35 - machine was rebooted [Ayona Simmons]
ComboFix-quarantined-files.txt 2008-12-08 02:45:52

Pre-Run: 42,511,822,848 bytes free
Post-Run: 43,775,086,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

321 --- E O F --- 2008-11-21 08:21:54


* MalwareBytes Log

Malwarebytes' Anti-Malware 1.31
Database version: 1472
Windows 5.1.2600 Service Pack 3

12/7/2008 10:49:36 PM
mbam-log-2008-12-07 (22-49-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 141589
Time elapsed: 51 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 72

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\nsglobaladsolution.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\ieobject.ieobjectobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ieobject.ieobjectobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0b0a76e7-ade1-41f4-b157-559605721b3a} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{50da37bb-7083-4fa7-80cf-de4cdb634166} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cont_globaladsolution (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{305ebde7-96ac-4e8c-4395-ce84ce7e1e75} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{305ebde7-96ac-4e8c-4395-ce84ce7e1e75} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Ayona Simmons\Application Data\gadcom\gadcom.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Ayona Simmons\Application Data\gadcom\gadcom.exe5a.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\aivjed.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bubwksae.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cksbww.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hvxukwqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\khfETkJc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lzdjba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mzimhv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qaxrok.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRHbARK.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRHbARK.dll_old.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sbehbyxr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\thkyvxyl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\uoxlymlc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\urqPHaAQ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\viucgaby.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yxbvymxn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP45\A0043480.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP46\A0047472.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP46\A0050482.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP46\A0050484.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP46\A0052477.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052538.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052539.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052540.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052556.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052557.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052562.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052565.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052582.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052583.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052584.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0052563.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0054584.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP47\A0054727.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055741.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055752.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055753.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055754.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055763.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055773.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055774.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP48\A0055775.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP49\A0057789.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP49\A0057774.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP49\A0057775.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP49\A0057791.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP49\A0058791.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058945.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058930.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058938.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058939.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058940.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058942.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058944.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058946.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058948.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058949.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058950.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058952.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058954.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058955.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP50\A0058957.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkjk.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cont_globaladsolution-remove.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsglobaladsolution.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\geBuUkhi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnlkHbb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ayona Simmons\xrt_ksfe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nsn3F5.dll (Adware.BHO) -> Quarantined and deleted successfully.



* How are things running now ?


Everyting seems to be running well.

Step 1

Upload a File
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

c:\windows\system32\qvnuiewldd.exe
c:\windows\mozregistry.dat
c:\windows\system32\ywawy.dat
c:\windows\qonigabur.db
c:\documents and settings\LocalService\Application Data\internaldb1942.dat

Go to spykiller (http://thespykiller.co.uk/index.php?board=1.0)

Please start a new thread Titled File/s for Katana and give the following information
Name:-- Your name
E-mail:-- Your E-mail (this is confidential and will not be displayed)
Subject:-- File for Katana

In the main text window please put the following link

http://forums.spybot.info/showthread.php?p=264153#post264153
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files

You can now delete SFP (exe and Zip) along with the .cab file that was created

----------------------------------------------------------- -----------------------------------------------------------
Step 2


Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



DirLook::
c:\documents and settings\All Users\Application Data\391A5
c:\documents and settings\All Users\Application Data\Gogii
c:\documents and settings\All Users\Application Data\222CE
c:\documents and settings\All Users\Application Data\1C19A
c:\program files\temp01
File::
c:\windows\Tasks\B19A4DD2933DC162.job
c:\windows\Tasks\Norton PC Checkup Setup.job
c:\windows\system32\qvnuiewldd.exe
c:\windows\mozregistry.dat
c:\windows\system32\ywawy.dat
c:\windows\qonigabur.db
c:\documents and settings\LocalService\Application Data\internaldb1942.dat
c:\documents and settings\LocalService\Application Data\internaldb6296.dat
c:\documents and settings\LocalService\Application Data\internaldb2583.dat
c:\documents and settings\LocalService\Application Data\internaldb440.dat
c:\documents and settings\LocalService\Application Data\internaldb3435.dat
c:\documents and settings\LocalService\Application Data\internaldb9438.dat
c:\documents and settings\LocalService\Application Data\internaldb7968.dat
c:\documents and settings\LocalService\Application Data\internaldb3924.dat
c:\documents and settings\LocalService\Application Data\internaldb1018.dat
Folder::
C:\Program Files\Ares
c:\program files\GrandPack
c:\Program Files\LimeWire
c:\Program Files\iMesh Applications
Driver::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BA8988-33E1-4c89-A150-BF428E8D3213}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"symPCCheckup"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-


ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Link to your SpyKiller Topic
Combofix Log
Kaspersky Log

http://thespykiller.co.uk/index.php/topic,7421.msg29569.html#msg29569

ComboFix 08-12-06.06 - Ayona Simmons 2008-12-08 23:26:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.83 [GMT -5:00]
Running from: c:\documents and settings\Ayona Simmons\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ayona Simmons\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\LocalService\Application Data\internaldb1018.dat
c:\documents and settings\LocalService\Application Data\internaldb1942.dat
c:\documents and settings\LocalService\Application Data\internaldb2583.dat
c:\documents and settings\LocalService\Application Data\internaldb3435.dat
c:\documents and settings\LocalService\Application Data\internaldb3924.dat
c:\documents and settings\LocalService\Application Data\internaldb440.dat
c:\documents and settings\LocalService\Application Data\internaldb6296.dat
c:\documents and settings\LocalService\Application Data\internaldb7968.dat
c:\documents and settings\LocalService\Application Data\internaldb9438.dat
c:\windows\mozregistry.dat
c:\windows\qonigabur.db
c:\windows\system32\qvnuiewldd.exe
c:\windows\system32\ywawy.dat
c:\windows\Tasks\B19A4DD2933DC162.job
c:\windows\Tasks\Norton PC Checkup Setup.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\internaldb1018.dat
c:\documents and settings\LocalService\Application Data\internaldb1942.dat
c:\documents and settings\LocalService\Application Data\internaldb2583.dat
c:\documents and settings\LocalService\Application Data\internaldb3435.dat
c:\documents and settings\LocalService\Application Data\internaldb3924.dat
c:\documents and settings\LocalService\Application Data\internaldb440.dat
c:\documents and settings\LocalService\Application Data\internaldb6296.dat
c:\documents and settings\LocalService\Application Data\internaldb7968.dat
c:\documents and settings\LocalService\Application Data\internaldb9438.dat
c:\program files\GrandPack
c:\program files\GrandPack\GrandPack.dll
c:\program files\GrandPack\qdrloader.exe
c:\program files\GrandPack\Uninstall.exe
c:\program files\iMesh Applications
c:\program files\LimeWire
c:\program files\LimeWire\desktop.ini
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\LimeWire.exe
c:\windows\mozregistry.dat
c:\windows\qonigabur.db
c:\windows\system32\qvnuiewldd.exe
c:\windows\system32\ywawy.dat
c:\windows\Tasks\B19A4DD2933DC162.job
c:\windows\Tasks\Norton PC Checkup Setup.job

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-07 21:54 . 2008-12-07 21:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-07 21:54 . 2008-12-07 21:54 <DIR> d-------- c:\documents and settings\Ayona Simmons\Application Data\Malwarebytes
2008-12-07 21:54 . 2008-12-07 21:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 21:54 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 21:54 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 01:08 . 2008-12-05 01:08 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 23:32 . 2008-11-24 23:32 <DIR> d-------- c:\program files\EA GAMES
2008-11-21 16:47 . 2008-11-24 23:18 445,504 --a------ c:\windows\system32\vp6vfw.dll
2008-11-20 22:57 . 2008-10-03 12:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-20 22:57 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-20 22:57 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-20 22:57 . 2008-08-26 02:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-20 22:57 . 2008-08-26 02:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-20 22:57 . 2008-08-26 02:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-20 22:57 . 2008-08-26 02:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-20 22:57 . 2008-08-26 02:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-20 22:57 . 2008-08-25 03:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-20 21:56 . 2008-11-20 21:57 <DIR> d-------- c:\windows\system32\Adobe
2008-11-11 20:12 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:12 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 04:20 --------- d-----w c:\program files\SpiralFrog
2008-12-09 03:46 25,600 ----a-w c:\windows\Internet Logs\xDB1E8.tmp
2008-12-09 03:00 2,590,208 ----a-w c:\windows\Internet Logs\xDB1E7.tmp
2008-12-07 14:36 29,696 ----a-w c:\windows\Internet Logs\xDB1E6.tmp
2008-12-07 14:36 2,603,520 ----a-w c:\windows\Internet Logs\xDB1E5.tmp
2008-12-07 03:16 17,408 ----a-w c:\windows\Internet Logs\xDB1E4.tmp
2008-12-07 00:22 2,584,576 ----a-w c:\windows\Internet Logs\xDB1E3.tmp
2008-12-06 13:14 2,579,456 ----a-w c:\windows\Internet Logs\xDB1E1.tmp
2008-12-06 13:14 17,408 ----a-w c:\windows\Internet Logs\xDB1E2.tmp
2008-12-05 06:24 2,584,064 ----a-w c:\windows\Internet Logs\xDB1DE.tmp
2008-12-05 06:12 25,600 ----a-w c:\windows\Internet Logs\xDB1DF.tmp
2008-12-05 05:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 01:37 28,160 ----a-w c:\windows\Internet Logs\xDB1DD.tmp
2008-12-04 14:19 2,575,872 ----a-w c:\windows\Internet Logs\xDB1DB.tmp
2008-12-04 13:18 17,920 ----a-w c:\windows\Internet Logs\xDB1E0.tmp
2008-12-04 09:17 2,576,896 ----a-w c:\windows\Internet Logs\xDB1D9.tmp
2008-12-04 09:15 20,480 ----a-w c:\windows\Internet Logs\xDB1DA.tmp
2008-12-04 06:41 19,456 ----a-w c:\windows\Internet Logs\xDB1D7.tmp
2008-12-04 06:13 2,581,504 ----a-w c:\windows\Internet Logs\xDB1D6.tmp
2008-12-03 07:35 2,585,088 ----a-w c:\windows\Internet Logs\xDB1D4.tmp
2008-12-03 07:35 16,896 ----a-w c:\windows\Internet Logs\xDB1D5.tmp
2008-12-03 01:12 2,578,432 ----a-w c:\windows\Internet Logs\xDB1D2.tmp
2008-12-02 22:16 16,384 ----a-w c:\windows\Internet Logs\xDB1D3.tmp
2008-12-02 18:00 15,872 ----a-w c:\windows\Internet Logs\xDB1D1.tmp
2008-12-02 17:55 2,575,360 ----a-w c:\windows\Internet Logs\xDB1D0.tmp
2008-12-02 17:00 2,575,360 ----a-w c:\windows\Internet Logs\xDB1CE.tmp
2008-12-02 08:10 14,848 ----a-w c:\windows\Internet Logs\xDB1CF.tmp
2008-12-02 07:31 2,578,432 ----a-w c:\windows\Internet Logs\xDB1CC.tmp
2008-12-02 07:31 16,896 ----a-w c:\windows\Internet Logs\xDB1CD.tmp
2008-12-02 04:19 2,575,360 ----a-w c:\windows\Internet Logs\xDB1CA.tmp
2008-12-02 01:11 15,872 ----a-w c:\windows\Internet Logs\xDB1CB.tmp
2008-12-01 21:15 2,575,360 ----a-w c:\windows\Internet Logs\xDB1C8.tmp
2008-12-01 09:10 14,336 ----a-w c:\windows\Internet Logs\xDB1C9.tmp
2008-12-01 08:48 2,580,480 ----a-w c:\windows\Internet Logs\xDB1C6.tmp
2008-12-01 06:31 16,896 ----a-w c:\windows\Internet Logs\xDB1C7.tmp
2008-12-01 05:51 2,578,944 ----a-w c:\windows\Internet Logs\xDB1DC.tmp
2008-12-01 05:51 2,578,944 ----a-w c:\windows\Internet Logs\xDB1D8.tmp
2008-11-27 23:30 15,360 ----a-w c:\windows\Internet Logs\xDB1C5.tmp
2008-11-27 23:28 2,576,896 ----a-w c:\windows\Internet Logs\xDB1C4.tmp
2008-11-25 05:36 2,585,600 ----a-w c:\windows\Internet Logs\xDB1C2.tmp
2008-11-25 05:34 32,256 ----a-w c:\windows\Internet Logs\xDB1C3.tmp
2008-11-25 04:51 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-24 00:12 51,712 ----a-w c:\windows\Internet Logs\xDB1C1.tmp
2008-11-23 04:28 2,591,232 ----a-w c:\windows\Internet Logs\xDB1C0.tmp
2008-11-21 08:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 08:12 --------- d-----w c:\program files\Microsoft Works
2008-11-21 02:58 2,573,824 ----a-w c:\windows\Internet Logs\xDB1BF.tmp
2008-11-21 02:22 2,572,288 ----a-w c:\windows\Internet Logs\xDB1BD.tmp
2008-11-21 02:13 26,112 ----a-w c:\windows\Internet Logs\xDB1BE.tmp
2008-11-21 01:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 05:21 2,570,752 ----a-w c:\windows\Internet Logs\xDB1BB.tmp
2008-11-20 05:20 24,064 ----a-w c:\windows\Internet Logs\xDB1BC.tmp
2008-11-19 05:10 2,566,656 ----a-w c:\windows\Internet Logs\xDB1B9.tmp
2008-11-19 05:09 20,480 ----a-w c:\windows\Internet Logs\xDB1BA.tmp
2008-11-18 21:46 23,552 ----a-w c:\windows\Internet Logs\xDB1B8.tmp
2008-11-18 00:41 2,566,144 ----a-w c:\windows\Internet Logs\xDB1B7.tmp
2008-11-16 21:04 2,566,144 ----a-w c:\windows\Internet Logs\xDB1B5.tmp
2008-11-16 21:00 19,456 ----a-w c:\windows\Internet Logs\xDB1B6.tmp
2008-11-15 23:52 15,360 ----a-w c:\windows\Internet Logs\xDB1B4.tmp
2008-11-15 23:42 2,565,120 ----a-w c:\windows\Internet Logs\xDB1B3.tmp
2008-11-15 02:38 63,488 ----a-w c:\windows\Internet Logs\xDB1B2.tmp
2008-11-13 08:11 2,565,120 ----a-w c:\windows\Internet Logs\xDB1B1.tmp
2008-11-12 20:50 23,040 ----a-w c:\windows\Internet Logs\xDB183.tmp
2008-11-12 20:35 2,522,112 ----a-w c:\windows\Internet Logs\xDB182.tmp
2008-11-12 03:45 123,904 ----a-w c:\windows\Internet Logs\xDB181.tmp
2008-11-12 03:40 2,533,376 ----a-w c:\windows\Internet Logs\xDB180.tmp
2008-11-10 04:32 24,064 ----a-w c:\windows\Internet Logs\xDB1B0.tmp
2008-11-10 04:32 2,556,928 ----a-w c:\windows\Internet Logs\xDB1AF.tmp
2008-11-08 21:43 2,555,904 ----a-w c:\windows\Internet Logs\xDB1AD.tmp
2008-11-08 19:49 14,848 ----a-w c:\windows\Internet Logs\xDB1AE.tmp
2008-11-08 18:46 47,104 ----a-w c:\windows\Internet Logs\xDB1AC.tmp
2008-11-06 11:41 2,570,240 ----a-w c:\windows\Internet Logs\xDB1AB.tmp
2008-11-02 05:27 2,557,952 ----a-w c:\windows\Internet Logs\xDB1A9.tmp
2008-11-02 05:24 15,360 ----a-w c:\windows\Internet Logs\xDB1AA.tmp
2008-11-02 04:35 14,848 ----a-w c:\windows\Internet Logs\xDB1A8.tmp
2008-11-02 04:25 2,556,928 ----a-w c:\windows\Internet Logs\xDB1A7.tmp
2008-11-02 03:33 2,556,928 ----a-w c:\windows\Internet Logs\xDB1A5.tmp
2008-11-02 01:39 14,848 ----a-w c:\windows\Internet Logs\xDB1A6.tmp
2008-11-02 00:57 2,563,584 ----a-w c:\windows\Internet Logs\xDB1A3.tmp
2008-11-01 22:33 71,168 ----a-w c:\windows\Internet Logs\xDB1A4.tmp
2008-10-25 20:04 2,555,904 ----a-w c:\windows\Internet Logs\xDB1A1.tmp
2008-10-25 16:48 14,848 ----a-w c:\windows\Internet Logs\xDB1A2.tmp
2008-10-24 21:13 8,864 ----a-w c:\windows\system32\drivers\CDAC15BA.SYS
2008-10-24 21:13 39,936 ----a-w c:\windows\system32\drivers\CDAC11BA.EXE
2008-10-24 21:13 30,720 ---h--r c:\windows\CdaC13BA.EXE
2008-10-24 21:13 112,128 ---h--r c:\windows\CdaC14BA.DLL
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 08:27 2,566,656 ----a-w c:\windows\Internet Logs\xDB19F.tmp
2008-10-20 21:27 26,624 ----a-w c:\windows\Internet Logs\xDB19E.tmp
2008-10-20 21:26 2,523,648 ----a-w c:\windows\Internet Logs\xDB19D.tmp
2008-10-20 05:20 23,040 ----a-w c:\windows\Internet Logs\xDB19C.tmp
2008-10-20 05:19 2,521,600 ----a-w c:\windows\Internet Logs\xDB19B.tmp
2008-10-20 04:02 15,872 ----a-w c:\windows\Internet Logs\xDB19A.tmp
2008-10-20 03:58 2,515,968 ----a-w c:\windows\Internet Logs\xDB199.tmp
2008-10-20 03:45 2,514,944 ----a-w c:\windows\Internet Logs\xDB197.tmp
2008-10-20 03:43 17,408 ----a-w c:\windows\Internet Logs\xDB198.tmp
2008-10-20 03:37 2,514,944 ----a-w c:\windows\Internet Logs\xDB195.tmp
2008-10-20 03:34 31,232 ----a-w c:\windows\Internet Logs\xDB196.tmp
2008-10-20 01:44 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-20 01:37 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\1C19A ----

2008-10-12 21:40 4501 --a------ c:\documents and settings\All Users\Application Data\1C19A\{F058E0BD-AF08-4E3C-BDBB-20737FC2656B}.swf

---- Directory of c:\documents and settings\All Users\Application Data\222CE ----

2008-10-12 21:40 4501 --a------ c:\documents and settings\All Users\Application Data\222CE\{C6D414CD-EE11-4E95-A58B-ABBE17859C75}.swf

---- Directory of c:\documents and settings\All Users\Application Data\391A5 ----

2008-10-12 21:40 4501 --a------ c:\documents and settings\All Users\Application Data\391A5\{06DB46E5-5C1E-48DD-9006-0B13FCEC7F10}.swf

---- Directory of c:\documents and settings\All Users\Application Data\Gogii ----

2008-10-14 18:58 8453 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\1save.dat
2008-10-14 18:58 51 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\Scene3.dat
2008-10-14 18:53 15 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialScene12.dat
2008-10-14 18:52 52 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\Scene12.dat
2008-10-14 18:52 30 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialScene27.dat
2008-10-14 18:48 97 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\Scene27.dat
2008-10-14 18:32 5 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialScene5.dat
2008-10-14 18:31 52 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\Scene5.dat
2008-10-14 18:30 10 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialScene25.dat
2008-10-14 18:17 9 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\lastProfile.dat
2008-10-14 18:17 47 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\Scene25.dat
2008-10-14 18:17 3 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\VoiceVolume.dat
2008-10-14 18:17 3 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\SoundVolume.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene9.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene8.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene7.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene6.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene4.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene30.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene3.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene29.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene28.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene26.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene24.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene23.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene22.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene21.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene20.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene2.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene19.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene18.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene17.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene16.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene15.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene14.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene13.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene11.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene10.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\specialscene1.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene9.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene8.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene7.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene6.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene4.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene30.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene29.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene28.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene26.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene24.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene23.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene22.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene21.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene20.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene2.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene19.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene18.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene17.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene16.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene15.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene14.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene13.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene11.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene10.dat
2008-10-14 18:17 2 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\scene1.dat
2008-10-14 18:17 1 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\MusicVolume.dat
2008-10-14 18:17 1 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\displayMode.dat
2008-10-14 18:17 1 --a------ c:\documents and settings\All Users\Application Data\Gogii\THOS\Shockwave\data\autoPause.dat

---- Directory of c:\program files\temp01 ----

c:\program files\temp01\


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2007-10-15 163128]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-07 176128]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 671744]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-12-27 c:\windows\system32\TDispVol.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 c:\windows\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"Appinit_dlls"=karna.dat lzdjba.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-25 24652]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-12-29 26488]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-10-20 c:\windows\Tasks\User_Feed_Synchronization-{7BC18AE3-BFDC-4CD6-A6D1-339D22AE873B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://firefox.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Ayona Simmons\Application Data\Mozilla\Firefox\Profiles\du5fuf7f.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\GoBit Games\BrowserPlugin\npgobitgamesplugin.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 23:30:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-12-08 23:33:41
ComboFix-quarantined-files.txt 2008-12-09 04:32:23
ComboFix2.txt 2008-12-08 02:46:35

Pre-Run: 43,653,836,800 bytes free
Post-Run: 43,690,418,176 bytes free

370 --- E O F --- 2008-11-21 08:21:54


i was unable to retrieve the Kaspersky Log file because my computer kept shutting down when it reached 56%

OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )



:Files
c:\windows\Internet Logs\xDB*.tmp
c:\documents and settings\All Users\Application Data\391A5
c:\documents and settings\All Users\Application Data\222CE
c:\documents and settings\All Users\Application Data\1C19A
c:\program files\temp01
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"Appinit_dlls"=""
:Commands
[Purity]
[EmptyTemp]


Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.


Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please try this scan instead



Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.

This topic has been archived due to inactivity.

As it has been five days or more since your last post, and your helper posted a response to which you did not reply, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.