PDA

View Full Version : Virtumonde infection


MrPositive
2009-03-29, 18:56
Here's the HJT log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:36 AM, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {1486AAEE-C48E-4B3B-9B9D-052E2AA31439} - (no file)
O2 - BHO: (no name) - {31B6002A-E311-4373-957A-E439FC87D0D0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BD5E023-A449-4446-8075-D527315E4F2F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {60C0A167-FE13-4983-A14A-BE2C8EBE8B3A} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {907222db-a44c-4be6-94ae-cd2085034f7e} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {cc4a38d1-8ad6-4155-9cfb-0efe2d0bd7c0} - C:\WINDOWS\system32\tuyubeva.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EA0BAC65-EB94-441F-BA58-583A75984E56} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [biniforifa] Rundll32.exe "C:\WINDOWS\system32\kolojebe.dll",s
O4 - HKLM\..\Run: [5c317931] rundll32.exe "C:\WINDOWS\system32\nevaluso.dll",b
O4 - HKLM\..\Run: [CPM5f024aad] Rundll32.exe "c:\windows\system32\pizakuma.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [biniforifa] Rundll32.exe "C:\WINDOWS\system32\kolojebe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [biniforifa] Rundll32.exe "C:\WINDOWS\system32\kolojebe.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201273588671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161277424156
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\matidaha.dll c:\windows\system32\pizakuma.dll
O20 - Winlogon Notify: hgGabaBU - C:\WINDOWS\
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pizakuma.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pizakuma.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
pskelley
2009-03-31, 16:51
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

http://forums.spybot.info/showthread.php?t=43901&page=3

If one of our volunteers is working with you towards cleaning up your computer, and you are going away before closure, please do let them know.
If you continue until closing information is posted you may learn have to avoid Virtumonde?

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
MrPositive
2009-03-31, 23:39
Thanks a lot for all of your help. I really appreciate it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:27 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {cc4a38d1-8ad6-4155-9cfb-0efe2d0bd7c0} - C:\WINDOWS\system32\lupojuki.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [biniforifa] Rundll32.exe "C:\WINDOWS\system32\yiyerufe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201273588671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161277424156
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hifavemu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
pskelley
2009-03-31, 23:43
You really need to take the time to read the directions:
All logs should be copy/pasted into topic and not attached unless requested by helper in that format.

I personally do not open attached files I have not requested.

Thanks
MrPositive
2009-03-31, 23:49
I apologize, i thought you wanted an attachment due to the fact that you said you wanted the C:\Combofix.txt which i took as an attachment, not posted in the forums. Here are the logs

ComboFix 09-03-31.01 - Marc-MSU 2009-03-31 16:20:32.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.865 [GMT -4:00]
Running from: c:\documents and settings\Marc-MSU\Desktop\ComboFix.exe
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\akanowun.ini
c:\windows\system32\bawawaza.dll
c:\windows\system32\hifavemu.dll
c:\windows\system32\ihohekom.ini
c:\windows\system32\kolojebe.dll.tmp
c:\windows\system32\matidaha.dll.tmp
c:\windows\system32\mokehohi.dll
c:\windows\system32\nevaluso.dll
c:\windows\system32\nuwonaka.dll
c:\windows\system32\pizakuma.dll
c:\windows\system32\tuyubeva.dll.tmp
c:\windows\system32\ufifakov.ini
c:\windows\system32\wepozara.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-29 11:42 . 2009-03-29 11:42 <DIR> d-------- c:\program files\ERUNT
2009-03-22 19:32 . 2009-03-22 19:35 <DIR> d-------- c:\program files\FL music
2009-03-22 15:52 . 2009-03-22 15:52 <DIR> d-------- c:\program files\ASIO4ALL v2
2009-03-22 15:47 . 2009-03-22 15:47 <DIR> d-------- c:\program files\VstPlugins
2009-03-22 15:47 . 2002-07-07 18:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2009-03-22 15:47 . 2006-06-20 04:56 225,280 --a------ c:\windows\system32\rewire.dll
2009-03-22 15:46 . 2009-03-22 15:46 <DIR> d-------- c:\program files\Outsim
2009-03-22 15:45 . 2009-03-29 10:25 <DIR> d-------- c:\program files\Image-Line
2009-02-20 16:05 . 2008-12-02 23:13 165,200 --a------ c:\documents and settings\Marc-MSU\_ImagineUpdate.exe
2009-02-16 10:22 . 2009-02-16 10:22 <DIR> d-------- c:\program files\Common Files\DirectX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 02:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-22 19:42 --------- d-----w c:\documents and settings\Marc-MSU\Application Data\FrostWire
2009-03-14 23:01 --------- d-----w c:\program files\Starcraft
2009-03-02 16:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-25 23:03 --------- d-----w c:\program files\DivX
2007-06-28 18:00 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2006-05-22 00:06 37,311,488 ----a-w c:\program files\iTunesSetup.exe
2006-05-17 22:39 8,715,352 ----a-w c:\program files\Install_AIM.exe
2005-11-08 20:04 1,145 ----a-w c:\program files\README.txt
2008-01-25 17:52 2 --shatr c:\windows\winstart.bat
1601-01-01 00:12 49,152 --sha-w c:\windows\system32\lupojuki.dll
1601-01-01 00:12 49,152 --sha-w c:\windows\system32\yiyerufe.dll
2008-11-20 00:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111920081120\index.dat
.

((((((((((((((((((((((((((((( snapshot_2009-01-16_17.02.50.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-11 12:33:59 333,952 ----a-w c:\windows\$hf_mig$\KB958687\SP3QFE\srv.sys
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB958687\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB958687\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB958687\update\spcustom.dll
+ 2007-11-30 11:18:51 755,576 ----a-w c:\windows\$hf_mig$\KB958687\update\update.exe
+ 2007-11-30 11:18:51 382,840 ----a-w c:\windows\$hf_mig$\KB958687\update\updspapi.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB958687$\spuninst\spuninst.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB958687$\spuninst\updspapi.dll
+ 2008-09-08 10:41:42 333,824 -c----w c:\windows\$NtUninstallKB958687$\srv.sys
+ 2005-10-20 16:02:28 163,328 ----a-w c:\windows\erdnt\3-29-2009\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
+ 2009-01-22 01:28:53 102,032 ------w c:\windows\hpoins04.dat
+ 2009-01-22 01:28:53 102,032 ------w c:\windows\hpoins04.dat.temp
+ 2004-06-22 09:20:34 17,218 ------w c:\windows\hpomdl04.dat
+ 2004-06-22 09:20:34 17,218 ------w c:\windows\hpomdl04.dat.temp
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 1998-10-29 22:45:06 306,688 ----a-w c:\windows\IsUninst.exe
+ 1998-10-29 21:45:06 306,688 ----a-w c:\windows\IsUninst.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\Nircmd.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\Nircmd.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2009-03-30 18:46:01 61,440 --sha-w c:\windows\system32\baniwiki.exe
+ 2009-03-29 02:13:27 61,440 --sha-w c:\windows\system32\bujusufe.exe
- 2009-01-11 20:00:39 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-13 11:25:59 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-11 20:00:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-13 11:25:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-11 20:00:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-13 11:25:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-18 17:08:33 410,984 ----a-w c:\windows\system32\deploytk.dll
- 2008-10-16 20:38:34 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c--a-w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c--a-w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c--a-w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c--a-w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c--a-w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c--a-w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c--a-w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c--a-w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-09-08 10:41:42 333,824 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-10-16 20:38:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2004-03-22 10:35:48 51,088 ----a-w c:\windows\system32\drivers\hpzid412.sys
+ 2004-03-22 10:35:52 16,496 ----a-w c:\windows\system32\drivers\HPZipr12.sys
+ 2004-03-22 10:35:58 21,744 ----a-w c:\windows\system32\drivers\HPZius12.sys
- 2008-09-08 10:41:42 333,824 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 10:57:09 333,952 ----a-w c:\windows\system32\drivers\srv.sys
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-11-20 02:59:06 1,595,480 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-29 14:32:28 1,586,592 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-31 18:46:06 61,440 --sha-w c:\windows\system32\hegubagu.exe
+ 2004-03-14 08:32:06 278,528 ----a-w c:\windows\system32\hpgwiamd.dll
+ 2004-04-13 06:10:24 581,632 ----a-w c:\windows\system32\hpotscl.dll
+ 2004-04-13 06:10:16 90,112 ----a-w c:\windows\system32\hpovst08.dll
+ 2004-03-14 08:34:10 270,336 ----a-w c:\windows\system32\HPZc3212.dll
+ 2004-04-07 12:34:26 196,608 ----a-w c:\windows\system32\hpzcoi10.dll
+ 2004-04-07 12:33:20 344,064 ----a-w c:\windows\system32\hpzcon10.dll
+ 2004-03-18 21:53:54 278,584 ----a-w c:\windows\system32\HPZidr12.dll
+ 2004-03-18 21:38:00 61,440 ----a-w c:\windows\system32\HPZinw12.exe
+ 2004-03-18 21:55:48 65,536 ----a-w c:\windows\system32\HPZipm12.exe
+ 2004-03-18 21:56:28 204,800 ----a-w c:\windows\system32\HPZipr12.dll
+ 2004-03-18 21:39:24 94,208 ----a-w c:\windows\system32\HPZipt12.dll
+ 2004-03-18 21:39:30 57,344 ----a-w c:\windows\system32\HPZisn12.dll
+ 2004-03-14 08:43:30 135,249 ----a-w c:\windows\system32\hpzlnt10.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2007-09-25 03:30:28 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-18 17:08:33 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-25 03:30:30 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-18 17:08:33 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-18 17:08:33 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-29 14:13:25 61,440 --sha-w c:\windows\system32\joyiwila.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2007-03-01 21:45:32 1,044,480 ----a-w c:\windows\system32\libdivx.dll
+ 2008-11-06 16:35:00 1,044,480 ----a-w c:\windows\system32\libdivx.dll
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-11-20 00:28:33 60,362 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-29 02:07:56 60,362 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-20 00:28:33 398,968 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-29 02:07:56 398,968 ----a-w c:\windows\system32\perfh009.dat
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2009-03-31 18:46:37 49,152 --sha-w c:\windows\system32\rayowoju.dll
+ 2009-03-31 06:45:48 61,440 --sha-w c:\windows\system32\rosobogu.exe
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2004-04-08 07:16:46 131,329 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpop6110.dat
+ 2004-03-14 08:43:28 196,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpz2ku10.dll
+ 2004-03-24 05:04:48 286,720 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzcfg10.exe
+ 2004-04-07 12:34:26 196,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzcoi10.dll
+ 2004-04-07 12:33:20 344,064 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzcon10.dll
+ 2004-03-24 05:04:54 647,168 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzeng10.exe
+ 2004-03-24 05:04:58 69,632 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzflt10.dll
+ 2004-03-24 05:05:00 1,589,248 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzimc10.dll
+ 2004-03-24 05:05:04 352,256 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzime10.dll
+ 2004-03-24 05:05:08 1,671,168 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzims10.dll
+ 2004-03-24 05:05:14 200,704 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzjui10.dll
+ 2004-03-14 08:43:30 135,249 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzlnt10.dll
+ 2004-03-24 05:05:18 143,360 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpcl10.dll
+ 2004-03-14 08:43:30 487,424 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpm310.dll
+ 2004-03-24 05:05:22 331,776 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpre10.exe
+ 2004-03-14 08:44:34 3,182,592 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzr3210.dll
+ 2004-03-24 05:05:26 368,640 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzres10.dll
+ 2004-03-14 08:44:36 1,695,744 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzrm310.dll
+ 2004-03-24 05:05:28 679,936 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzslk10.dll
+ 2004-03-14 08:43:30 180,315 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzsnt10.dll
+ 2004-03-24 05:05:32 385,024 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzstc10.exe
+ 2004-03-24 05:05:36 163,840 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzstw10.exe
+ 2004-03-24 05:05:38 61,440 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztbi10.dll
+ 2004-03-24 05:05:42 172,032 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztbu10.exe
+ 2004-04-09 17:51:56 7,331,840 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztbx10.exe
+ 2004-03-24 05:05:52 155,708 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzvip10.dll
+ 2004-04-08 07:16:46 131,329 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpop6110.dat
+ 2004-03-14 08:43:28 196,608 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpz2ku10.dll
+ 2004-03-24 05:04:48 286,720 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzcfg10.exe
+ 2004-04-07 12:34:26 196,608 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzcoi10.dll
+ 2004-04-07 12:33:20 344,064 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzcon10.dll
+ 2004-03-24 05:04:54 647,168 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzeng10.exe
+ 2004-03-24 05:04:58 69,632 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzflt10.dll
+ 2004-03-24 05:05:00 1,589,248 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzimc10.dll
+ 2004-03-24 05:05:04 352,256 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzime10.dll
+ 2004-03-24 05:05:08 1,671,168 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzims10.dll
+ 2004-03-24 05:05:14 200,704 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzjui10.dll
+ 2004-03-14 08:43:30 135,249 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzlnt10.dll
+ 2004-03-24 05:05:18 143,360 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzpcl10.dll
+ 2004-03-14 08:43:30 487,424 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzpm310.dll
+ 2004-03-24 05:05:22 331,776 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzpre10.exe
+ 2004-03-14 08:44:34 3,182,592 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzr3210.dll
+ 2004-03-24 05:05:26 368,640 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzres10.dll
+ 2004-03-14 08:44:36 1,695,744 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzrm310.dll
+ 2004-03-24 05:05:28 679,936 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzslk10.dll
+ 2004-03-14 08:43:30 180,315 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzsnt10.dll
+ 2004-03-24 05:05:32 385,024 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzstc10.exe
+ 2004-03-24 05:05:36 163,840 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzstw10.exe
+ 2004-03-24 05:05:38 61,440 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpztbi10.dll
+ 2004-03-24 05:05:42 172,032 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpztbu10.exe
+ 2004-04-09 17:51:56 7,331,840 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpztbx10.exe
+ 2004-03-24 05:05:52 155,708 ----a-w c:\windows\system32\spool\drivers\w32x86\hewlett_packardoffic3c09\hpzvip10.dll
- 2007-03-01 21:45:32 200,704 ----a-w c:\windows\system32\ssldivx.dll
+ 2008-11-06 16:35:00 200,704 ----a-w c:\windows\system32\ssldivx.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2009-03-31 20:25:54 16,384 ----atw c:\windows\temp\Perflib_Perfdata_600.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc4a38d1-8ad6-4155-9cfb-0efe2d0bd7c0}]
49152 --ahs---- c:\windows\system32\lupojuki.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"biniforifa"="c:\windows\system32\yiyerufe.dll" [ 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\hifavemu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\hifavemu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Start Menu^Programs^Startup^MEMonitor.lnk]
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-02-08 02:12 488984 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-02-08 02:13 774168 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-11-07 15:31 21633320 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-04-04 19:38 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Microsoft Games\\HCE\\haloce.exe"=
"c:\\Program Files\\Steam\\SteamApps\\allerka\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\allerka\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\MOM.exe"=
"c:\\WINDOWS\\explorer.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-07-07 24652]
S2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2005-04-07 10112]
S3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2005-04-07 9216]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-01-25 747912]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys --> c:\windows\system32\XDva164.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\XDva201.sys --> c:\windows\system32\XDva201.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 16:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1486AAEE-C48E-4B3B-9B9D-052E2AA31439} - (no file)
BHO-{31B6002A-E311-4373-957A-E439FC87D0D0} - (no file)
BHO-{5BD5E023-A449-4446-8075-D527315E4F2F} - (no file)
BHO-{60C0A167-FE13-4983-A14A-BE2C8EBE8B3A} - (no file)
BHO-{907222db-a44c-4be6-94ae-cd2085034f7e} - (no file)
BHO-{EA0BAC65-EB94-441F-BA58-583A75984E56} - (no file)
Notify-hgGabaBU - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Marc-MSU\Application Data\Mozilla\Firefox\Profiles\7lbz2wc9.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Marc-MSU\Application Data\Mozilla\Firefox\Profiles\7lbz2wc9.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Marc-MSU\Application Data\Mozilla\Firefox\Profiles\7lbz2wc9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 16:26:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-03-31 16:30:44 - machine was rebooted [Marc-MSU]
ComboFix-quarantined-files.txt 2009-03-31 20:30:41
ComboFix2.txt 2009-01-18 17:04:15
ComboFix3.txt 2009-01-16 22:04:16
ComboFix4.txt 2008-01-25 13:15:23
ComboFix5.txt 2009-03-31 19:12:24

Pre-Run: 81,025,327,104 bytes free
Post-Run: 81,006,145,536 bytes free

472
MrPositive
2009-03-31, 23:50
And the uninstall list

Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop 7.0
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AGEIA PhysX v7.09.13
ASIO4ALL
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Rootkit Free
Best Buy Digital Music Store
Best Buy Rhapsody
Bulent's Screen Recorder 4
CamStudio
Canon PhotoRecord
Canon PIXMA iP3000
Catalyst Control Center - Branding
CCleaner (remove only)
Combat Arms
ConvertHelper 2.2
Counter-Strike: Source
Crimson Editor (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EA Download Manager
Easy-WebPrint
ERUNT 1.1j
Ethereal 0.99.0
FileZilla (remove only)
FL Studio 8
Galactic Civilizations II - Gold Edition
GameSpy Arcade
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life: Source
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP PSC & Officejet 4.2 Corporate Edition
IL Download Manager
Install(US)2
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
iPod for Windows 2005-09-06
iTunes
Java(TM) 6 Update 11
Landscape Illustrator
LG USB Modem driver
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Mabinogi
MapleStory
Marvell Miniport Driver
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Miranda IM 0.7.3
Morrowind
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MVision
MySQL Server 5.0
Nero Suite
PDF Settings
PhotoNow! 1.0
PHP 5.2.3
PoiZone
Portal
PowerDirector
PowerDVD
PrimoPDF
PrimoPDF Redistribution Package
Project Torque
QuickLink Mobile Phonebook
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 5.0
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Shin Megami Tensei: Imagine
Sierra Utilities
Skype™ 3.8
SmartSound Quicktracks Plugin
Space Quest Collection(TM)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 5.5
Starcraft
Stardock Central
Steam
Team Fortress 2
TES Construction Set
TourAHomeOnline.Com, Inc. BuildATour.Exe
TourMyHomeOnline.Com BuildATour.Exe
Toxic Biohazard
Unreal Tournament 3
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VZAccess Manager
Warhammer Online - Age of Reckoning
Windows Imaging Component
Windows Live installer
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinPcap 3.1
Wireless-G PCI Adapter
Wisdom-soft AutoScreenRecorder 2.0 Free
WONswap
Xara Webstyle 4
XMLinst
pskelley
2009-04-01, 00:18
FrostWire <<< p2p, before we start, all p2p programs must be uninstalled/removed. Since I see no uninstaller I will remove this with CFScript.
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

Please follow the directions carefully and in the numbered order.

1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\lupojuki.dll
C:\WINDOWS\system32\yiyerufe.dll
C:\WINDOWS\system32\hifavemu.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc4a38d1-8ad6-4155-9cfb-0efe2d0bd7c0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"biniforifa"=-

Folder::
c:\documents and settings\Marc-MSU\Application Data\FrostWire

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone)

O2 - BHO: (no name) - {cc4a38d1-8ad6-4155-9cfb-0efe2d0bd7c0} - C:\WINDOWS\system32\lupojuki.dll
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\yiyerufe.dll",s
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\hifavemu.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download [B]Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks


This can be done as time permits, but it is important, and may be why you are infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 7.0.9 <<< out of date and unsafe:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

AVG Anti-Rootkit Free <<< if you check I think you will find this is obsolete.
http://free.grisoft.com/ww.download-avg-anti-spyware-and-anti-rootkit

Java(TM) 6 Update 11 <<< update is available
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Spybot - Search & Destroy 1.5.2.20 <<< uninstall this old version

Spybot - Search & Destroy
Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html

Viewpoint Manager (Remove Only)
Viewpoint Media Player
Covered these in the first instruction
MrPositive
2009-04-01, 02:41
ComboFix 09-03-31.01 - Marc-MSU 2009-03-31 18:12:26.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.634 [GMT -4:00]
Running from: c:\documents and settings\Marc-MSU\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marc-MSU\Desktop\CFScript.txt
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\hifavemu.dll
c:\windows\system32\lupojuki.dll
c:\windows\system32\yiyerufe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marc-MSU\Application Data\FrostWire
c:\documents and settings\Marc-MSU\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\documents and settings\Marc-MSU\Application Data\FrostWire\checkandupdate.txt
c:\documents and settings\Marc-MSU\Application Data\FrostWire\createtimes.cache
c:\documents and settings\Marc-MSU\Application Data\FrostWire\data.ser
c:\documents and settings\Marc-MSU\Application Data\FrostWire\downloads.dat
c:\documents and settings\Marc-MSU\Application Data\FrostWire\fileurns.bak
c:\documents and settings\Marc-MSU\Application Data\FrostWire\fileurns.cache
c:\documents and settings\Marc-MSU\Application Data\FrostWire\filters.props
c:\documents and settings\Marc-MSU\Application Data\FrostWire\frostwire.props
c:\documents and settings\Marc-MSU\Application Data\FrostWire\gnutella.net
c:\documents and settings\Marc-MSU\Application Data\FrostWire\installation.props
c:\documents and settings\Marc-MSU\Application Data\FrostWire\intent.props
c:\documents and settings\Marc-MSU\Application Data\FrostWire\library.dat
c:\documents and settings\Marc-MSU\Application Data\FrostWire\mojito.props
c:\documents and settings\Marc-MSU\Application Data\FrostWire\pub1.key
c:\documents and settings\Marc-MSU\Application Data\FrostWire\public.key
c:\documents and settings\Marc-MSU\Application Data\FrostWire\questions.props
c:\documents and settings\Marc-MSU\Application Data\FrostWire\responses.cache
c:\documents and settings\Marc-MSU\Application Data\FrostWire\secureMessage.key
c:\documents and settings\Marc-MSU\Application Data\FrostWire\simpp.xml
c:\documents and settings\Marc-MSU\Application Data\FrostWire\spam.dat
c:\documents and settings\Marc-MSU\Application Data\FrostWire\tables.props
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme.skin
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\author.txt
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\chat.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\dir_closed.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\dir_open.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\forward_dn.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\forward_up.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\kill.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\kill_on.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\mm_header.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\pause_dn.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\pause_up.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\play_dn.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\play_up.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\question.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\rewind_dn.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\rewind_up.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\stop_dn.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\stop_up.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\theme.txt
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\CarbonClassic_theme\warning.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwire_theme.skin
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwire_theme\kill.png
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwire_theme\kill_on.png
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwire_theme\theme.txt
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwirePro_theme.fwtp
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwirePro_theme.skin
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwirePro_theme\kill.png
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwirePro_theme\kill_on.png
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwirePro_theme\theme.txt
c:\documents and settings\Marc-MSU\Application Data\FrostWire\themes\frostwirePro_theme\version.txt
c:\documents and settings\Marc-MSU\Application Data\FrostWire\ttree.cache
c:\documents and settings\Marc-MSU\Application Data\FrostWire\ttrees.cache
c:\documents and settings\Marc-MSU\Application Data\FrostWire\ttroot.cache
c:\documents and settings\Marc-MSU\Application Data\FrostWire\version.key
c:\documents and settings\Marc-MSU\Application Data\FrostWire\version.xml
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\data\audio.sxml2
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\data\delete_me
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\misc\application.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\misc\audio.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\misc\document.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\misc\image.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\misc\video.gif
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\schemas\application.xsd
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\schemas\audio.xsd
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\schemas\document.xsd
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\schemas\image.xsd
c:\documents and settings\Marc-MSU\Application Data\FrostWire\xml\schemas\video.xsd
c:\windows\system32\lupojuki.dll
c:\windows\system32\yiyerufe.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-29 11:42 . 2009-03-29 11:42 <DIR> d-------- c:\program files\ERUNT
2009-03-22 19:32 . 2009-03-22 19:35 <DIR> d-------- c:\program files\FL music
2009-03-22 15:52 . 2009-03-22 15:52 <DIR> d-------- c:\program files\ASIO4ALL v2
2009-03-22 15:47 . 2009-03-22 15:47 <DIR> d-------- c:\program files\VstPlugins
2009-03-22 15:47 . 2002-07-07 18:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2009-03-22 15:47 . 2006-06-20 04:56 225,280 --a------ c:\windows\system32\rewire.dll
2009-03-22 15:46 . 2009-03-22 15:46 <DIR> d-------- c:\program files\Outsim
2009-03-22 15:45 . 2009-03-29 10:25 <DIR> d-------- c:\program files\Image-Line
2009-02-20 16:05 . 2008-12-02 23:13 165,200 --a------ c:\documents and settings\Marc-MSU\_ImagineUpdate.exe
2009-02-16 10:22 . 2009-02-16 10:22 <DIR> d-------- c:\program files\Common Files\DirectX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 22:08 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-31 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 02:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 23:01 --------- d-----w c:\program files\Starcraft
2009-03-02 16:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-25 23:03 --------- d-----w c:\program files\DivX
2007-06-28 18:00 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2006-05-22 00:06 37,311,488 ----a-w c:\program files\iTunesSetup.exe
2006-05-17 22:39 8,715,352 ----a-w c:\program files\Install_AIM.exe
2005-11-08 20:04 1,145 ----a-w c:\program files\README.txt
2008-01-25 17:52 2 --shatr c:\windows\winstart.bat
2008-11-20 00:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111920081120\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-03-31_16.29.25.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-31 22:16:06 16,384 ----atw c:\windows\temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

[HKLM\~\startupfolder\C:^Documents and Settings^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Start Menu^Programs^Startup^MEMonitor.lnk]
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-02-08 02:12 488984 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-02-08 02:13 774168 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-11-07 15:31 21633320 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-04-04 19:38 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Microsoft Games\\HCE\\haloce.exe"=
"c:\\Program Files\\Steam\\SteamApps\\allerka\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\allerka\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\MOM.exe"=

S2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2005-04-07 10112]
S3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2005-04-07 9216]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-01-25 747912]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys --> c:\windows\system32\XDva164.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\XDva201.sys --> c:\windows\system32\XDva201.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 16:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-biniforifa - c:\windows\system32\yiyerufe.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Marc-MSU\Application Data\Mozilla\Firefox\Profiles\7lbz2wc9.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Marc-MSU\Application Data\Mozilla\Firefox\Profiles\7lbz2wc9.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Marc-MSU\Application Data\Mozilla\Firefox\Profiles\7lbz2wc9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 18:16:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-03-31 18:20:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 22:20:48
ComboFix2.txt 2009-03-31 20:30:46
ComboFix3.txt 2009-01-18 17:04:15
ComboFix4.txt 2009-01-16 22:04:16
ComboFix5.txt 2009-03-31 22:11:38

Pre-Run: 81,003,859,968 bytes free
Post-Run: 80,983,527,424 bytes free

241
MrPositive
2009-04-01, 02:42
Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3

3/31/2009 7:40:37 PM
mbam-log-2009-03-31 (19-40-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 261828
Time elapsed: 47 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\chmgurid.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tlngqm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wbdrmybv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wpv911231601469.cpx.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ikxcnm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mokehohi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rapipgev.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP385\A0072070.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP392\A0078019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP392\A0078021.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP392\A0078022.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP392\A0078024.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP392\A0078026.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP468\A0091081.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4927DCB-FB28-4077-AE7D-6EBCF55404BE}\RP468\A0091151.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baniwiki.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bujusufe.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hegubagu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\joyiwila.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rosobogu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.


and I'll have the HJT log after I restart my computer
MrPositive
2009-04-01, 02:48
And there you go. My computer is running much smoother now and I greatly appreciate the help. Keep up the good work

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:47 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201273588671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161277424156
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6589 bytes
pskelley
2009-04-01, 15:22
Sounds good:bigthumb: let's see if we can wrap up like this:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Norton AntiVirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx