I also need help with Vundo

**DrunkenTso** · 2009-01-02, 04:52

I would first like to say thank you for how wonderful Spybot truly is!

I tried to remove the 2 Vundo viruses I have with Spybot on system startup. Seems to work for awhile, but then it pops back up.

Here is my HijackThis file you need.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:55 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\KSU CISCO VPN Client\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b3499eb2-72f9-40d8-a0b1-c6b365132b25} - C:\WINDOWS\system32\kanuvopi.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CPM231aa6fd] Rundll32.exe "c:\windows\system32\hoziroki.dll",a
O4 - HKLM\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\wufasugu.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9526] command /c del "c:\windows\system32\hoziroki.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3655] cmd /c del "c:\windows\system32\hoziroki.dll_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\wufasugu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [komidowomu] Rundll32.exe "C:\WINDOWS\system32\wufasugu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AFEA2E8-348C-41F5-B044-350B84C7D155}: NameServer = 65.24.7.10,65.24.7.11
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: WIKI.DLL c:\windows\system32\kusitozo.dll C:\WINDOWS\system32\fohesale.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\hoziroki.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hoziroki.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hoziroki.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: KSU CISCO VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\KSU CISCO VPN Client\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 13526 bytes

I would like to thank you all in advance for any help you are able to give me! I will disable my anti-virus programs when needed.

Correction, I mean Virtumonde.

**Blade81** · 2009-01-06, 14:08

Hi DrunkenTso

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**DrunkenTso** · 2009-01-06, 16:34

ComboFix log:

ComboFix 09-01-05.05 - Owner 2009-01-06 10:04:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.964 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\download\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\download\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\My Documents\My Music\My Music.url
c:\documents and settings\Owner\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Owner\My Documents\My Videos\My Video.url
c:\windows\system32\~.exe
c:\windows\system32\adamehuy.ini
c:\windows\system32\atubamen.ini
c:\windows\system32\derinade.dll
c:\windows\system32\drivers\ss.sys
c:\windows\system32\edanired.ini
c:\windows\system32\evovagor.ini
c:\windows\system32\gujoyame.dll
c:\windows\system32\ifoyikun.ini
c:\windows\system32\igidobum.ini
c:\windows\system32\jezemimu.dll
c:\windows\system32\leridamu.dll
c:\windows\system32\mizukoni.dll
c:\windows\system32\mubodigi.dll
c:\windows\system32\nemabuta.dll
c:\windows\system32\nukiyofi.dll
c:\windows\system32\ojaladef.ini
c:\windows\system32\olujerur.ini
c:\windows\system32\ototuyay.ini
c:\windows\system32\ovuzayat.ini
c:\windows\system32\palozora.dll
c:\windows\system32\parahuri.dll
c:\windows\system32\rurejulo.dll
c:\windows\system32\terobila.dll
c:\windows\system32\ubifadod.ini
c:\windows\system32\ukezaniy.ini
c:\windows\system32\usojovaj.ini
c:\windows\system32\vavanoho.dll
c:\windows\system32\yifulose.dll
c:\windows\system32\yinazeku.dll
c:\windows\system32\yuhemada.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-04 00:03 . 2004-07-26 16:16 1,568,768 --------- c:\windows\system32\ImagX7.dll
2009-01-04 00:03 . 2004-07-26 16:16 476,320 --------- c:\windows\system32\ImagXpr7.dll
2009-01-04 00:03 . 2004-07-26 16:16 471,040 --------- c:\windows\system32\ImagXRA7.dll
2009-01-04 00:03 . 2004-07-09 08:43 364,544 --------- c:\windows\system32\TwnLib4.dll
2009-01-04 00:03 . 2004-07-26 16:16 262,144 --------- c:\windows\system32\ImagXR7.dll
2009-01-04 00:03 . 2001-07-09 10:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-01-04 00:03 . 2000-06-26 10:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
2009-01-04 00:02 . 2009-01-04 00:02 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-04 00:02 . 2009-01-04 00:03 <DIR> d-------- c:\program files\Ahead
2009-01-02 19:11 . 2009-01-02 19:11 <DIR> d-------- c:\program files\Western Digital
2009-01-02 19:10 . 2009-01-02 19:10 <DIR> d-------- c:\program files\Western Digital Technologies
2009-01-01 18:31 . 2009-01-01 18:31 2,713 ---hs---- c:\windows\system32\gilefede.exe
2009-01-01 11:07 . 2009-01-01 11:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 20:54 . 2009-01-04 20:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\CyberLink
2008-12-28 20:53 . 2009-01-04 20:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-12-27 17:14 . 2009-01-05 15:25 69 --a------ c:\windows\NeroDigital.ini
2008-12-26 22:59 . 2008-12-26 22:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
2008-12-26 22:36 . 2008-12-26 22:36 <DIR> d-------- c:\program files\Logitech
2008-12-26 22:32 . 2008-12-26 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-12-26 22:31 . 2008-12-26 22:31 0 --a------ c:\windows\LCDMedia.INI
2008-12-26 22:15 . 2008-12-26 22:15 169 --a------ c:\windows\RtlRack.ini
2008-12-26 21:53 . 2008-12-26 21:53 <DIR> d-------- c:\program files\DVDFab 5
2008-12-26 21:53 . 2008-12-26 21:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\Vso
2008-12-26 21:53 . 2008-12-26 21:53 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-26 21:53 . 2008-12-26 21:53 47,360 --a------ c:\documents and settings\Owner\Application Data\pcouffin.sys
2008-12-26 21:48 . 2008-12-26 21:48 <DIR> d-------- c:\program files\DVD Shrink
2008-12-26 21:48 . 2008-12-26 21:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-26 21:31 . 2008-12-26 21:37 <DIR> d-------- c:\program files\lg_fwupdate
2008-12-26 21:31 . 1998-06-24 00:00 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-12-26 21:31 . 1998-07-22 00:00 102,912 --a------ c:\windows\system32\Vb6stkit.dll
2008-12-26 21:31 . 1998-07-22 00:00 102,160 --a------ c:\windows\system32\VB6KO.DLL
2008-12-26 21:31 . 2006-02-17 14:19 16,384 --a------ c:\windows\system32\lgfwunis.exe
2008-12-26 21:31 . 2008-12-26 21:38 319 --a------ c:\windows\lgfwup.ini
2008-12-26 21:27 . 2008-12-26 21:27 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-12-26 21:22 . 2009-01-04 20:52 <DIR> d-------- C:\MyWorks
2008-12-26 21:22 . 2004-10-01 15:00 40,960 --a------ c:\program files\Uninstall_CDS.exe
2008-12-26 21:21 . 2009-01-04 00:10 <DIR> d-------- c:\program files\CyberLink DVD Solution
2008-12-23 11:08 . 2008-12-23 11:09 <DIR> d-------- c:\program files\iTunes
2008-12-23 11:08 . 2008-12-23 11:08 <DIR> d-------- c:\program files\iPod
2008-12-23 11:08 . 2008-12-23 11:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-20 23:26 . 2008-12-20 23:26 <DIR> d-------- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite
2008-12-20 23:26 . 2008-12-20 23:26 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-12-07 23:12 . 2008-12-07 23:12 <DIR> d-------- c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-07 23:11 . 2008-12-23 11:56 <DIR> d-------- c:\program files\Yahoo!
2008-12-07 23:11 . 2008-12-23 00:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-06 11:00 . 2008-12-06 11:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 14:37 --------- d-----w c:\program files\uTorrent
2009-01-06 14:36 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-06 03:26 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-04 05:10 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-27 08:10 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-27 03:33 --------- d-----w c:\program files\McAfee
2008-12-27 03:33 --------- d-----w c:\program files\Common Files\McAfee
2008-12-27 02:22 --------- d-----w c:\program files\CyberLink
2008-12-23 16:08 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 16:03 --------- d-----w c:\program files\QuickTime
2008-12-12 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 16:02 --------- d-----w c:\program files\AIM6
2008-12-06 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-27 17:33 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-20 18:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-06-04 22:48 256 -c--a-w c:\documents and settings\Owner\pool.bin
1601-01-01 00:12 35,840 -csha-w c:\windows\system32\fobigipo.dll
1601-01-01 00:12 22,528 --sha-w c:\windows\system32\lesozese.dll
1601-01-01 00:12 102,400 -csha-w c:\windows\system32\merilaro.dll
1601-01-01 00:12 16,384 --sha-w c:\windows\system32\metigime.dll
2008-08-19 16:37 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2005-08-23 1110079]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2005-08-23 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-22 185896]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ KSU CISCO VPN Client.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-22 18:57 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1212465230\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Call Graph\\CallGraph.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\VCdRom.sys --> c:\windows\system32\VCdRom.sys [?]
S3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\F5D9050\BKNDIS5.SYS [2008-08-13 15872]
S3 S3chipid;S3chipid;\??\c:\docume~1\Owner\LOCALS~1\Temp\{2B43252C-A1E3-4C47-927C-9F2C276D3515}\S3chipid.sys --> c:\docume~1\Owner\LOCALS~1\Temp\{2B43252C-A1E3-4C47-927C-9F2C276D3515}\S3chipid.sys [?]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7d77d28-d92a-11dd-9454-001150e29773}]
\Shell\AutoRun\command - k:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-06 c:\windows\Tasks\At1.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At10.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At11.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At12.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At13.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At14.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At15.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At16.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At17.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At18.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At19.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At2.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At20.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At21.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At22.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At23.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At24.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At3.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At4.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At5.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At6.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At7.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At8.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At9.job
- c:\windows\system32\cLjq2d75.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{b3499eb2-72f9-40d8-a0b1-c6b365132b25} - c:\windows\system32\parahuri.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-komidowomu - c:\windows\system32\darunuwe.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://windiwsfsearch.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = hxxp://windiwsfsearch.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
TCP: {7AFEA2E8-348C-41F5-B044-350B84C7D155} = 65.24.7.10,65.24.7.11
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\b9pbcj7t.default\
FF - prefs.js: browser.startup.homepage - hxxp://flashmail.kent.edu
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\b9pbcj7t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 10:09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\KSU CISCO VPN Client\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
.
**************************************************************************
.
Completion time: 2009-01-06 10:13:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 15:13:45

Pre-Run: 85,381,947,392 bytes free
Post-Run: 85,541,302,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

331 --- E O F --- 2008-12-18 00:24:53

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:14 AM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\KSU CISCO VPN Client\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AFEA2E8-348C-41F5-B044-350B84C7D155}: NameServer = 65.24.7.10,65.24.7.11
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: KSU CISCO VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\KSU CISCO VPN Client\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 11348 bytes

It may take me longer to reply for my desktop (the infected computer) now will no longer connect to our wireless network, so there will be a lot of switching back and forth.

Thank you.

**Blade81** · 2009-01-06, 16:39

Hi

Before we do any further cleaning there's one thing you have to do.

You seem to have installed recovery console meant for xp professional edition while yours is home edition. Please follow instructions below to remove wrong recovery console. Then run ComboFix again with correct recovery console version and post its report & a fresh hjt log.

Removing the Recovery Console

* Restart your computer, click Start, click My Computer, and then double-click the hard disk on which you installed the Recovery Console.
* On the Tools menu, click Folder Options, and then click the View tab.
* Click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK.
* At the root folder, delete the Cmdcons folder and the Cmldr file.
* At the root folder, right-click the Boot.ini file, and then click Properties.
* Click to clear the Read-only check box, and then click OK.
* WARNING: Modifying the Boot.ini file incorrectly may prevent your computer from restarting. Be sure to delete only the entry for the Recovery Console. Also, it is recommended that you change the attribute for the Boot.ini file back to a read-only state after you complete this procedure. Open the Boot.ini file in Microsoft Windows Notepad, and remove the entry for the Recovery Console. It looks similar to this:

C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons
* Save the file and close it.

**DrunkenTso** · 2009-01-06, 16:49

I am unable to delete the Cmdcons folder. How should I proceed?

**Blade81** · 2009-01-06, 16:50

Hi

Try following other part of instructions (skip over Cmdcons folder deleting)

**DrunkenTso** · 2009-01-06, 16:51

All the other parts of the instructions worked.

**DrunkenTso** · 2009-01-06, 17:18

Cmldr is deleted and the Boot is modified and returned to read -only.

**Blade81** · 2009-01-06, 17:31

Hi

Then please run ComboFix with correct recovery console and post back the logs as instructed

**DrunkenTso** · 2009-01-06, 17:44

I can't get the XP Home Recovery to install. I had to download the file on another computer and transfer it, and it will not setup the recovery though.

Combo log:
ComboFix 09-01-05.05 - Owner 2009-01-06 11:38:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1627 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\download\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 11:11 . 2009-01-06 11:11 <DIR> d-------- c:\program files\Belkin
2009-01-06 11:11 . 2009-01-06 11:11 21,275 --a------ c:\windows\system32\drivers\AegisP.sys
2009-01-06 11:11 . 2005-11-30 11:33 2,048 --------- c:\windows\system32\drivers\rt73.bin
2009-01-06 11:10 . 2009-01-06 11:10 <DIR> d-------- c:\program files\BelkinUpdate
2009-01-04 00:03 . 2004-07-26 16:16 1,568,768 --------- c:\windows\system32\ImagX7.dll
2009-01-04 00:03 . 2004-07-26 16:16 476,320 --------- c:\windows\system32\ImagXpr7.dll
2009-01-04 00:03 . 2004-07-26 16:16 471,040 --------- c:\windows\system32\ImagXRA7.dll
2009-01-04 00:03 . 2004-07-09 08:43 364,544 --------- c:\windows\system32\TwnLib4.dll
2009-01-04 00:03 . 2004-07-26 16:16 262,144 --------- c:\windows\system32\ImagXR7.dll
2009-01-04 00:03 . 2001-07-09 10:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-01-04 00:03 . 2000-06-26 10:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
2009-01-04 00:02 . 2009-01-04 00:02 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-04 00:02 . 2009-01-04 00:03 <DIR> d-------- c:\program files\Ahead
2009-01-02 19:11 . 2009-01-02 19:11 <DIR> d-------- c:\program files\Western Digital
2009-01-02 19:10 . 2009-01-02 19:10 <DIR> d-------- c:\program files\Western Digital Technologies
2009-01-01 18:31 . 2009-01-01 18:31 2,713 ---hs---- c:\windows\system32\gilefede.exe
2009-01-01 11:07 . 2009-01-01 11:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 20:54 . 2009-01-04 20:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\CyberLink
2008-12-28 20:53 . 2009-01-04 20:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-12-27 17:14 . 2009-01-05 15:25 69 --a------ c:\windows\NeroDigital.ini
2008-12-26 22:59 . 2008-12-26 22:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
2008-12-26 22:36 . 2008-12-26 22:36 <DIR> d-------- c:\program files\Logitech
2008-12-26 22:32 . 2008-12-26 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-12-26 22:31 . 2008-12-26 22:31 0 --a------ c:\windows\LCDMedia.INI
2008-12-26 22:15 . 2008-12-26 22:15 169 --a------ c:\windows\RtlRack.ini
2008-12-26 21:53 . 2008-12-26 21:53 <DIR> d-------- c:\program files\DVDFab 5
2008-12-26 21:53 . 2008-12-26 21:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\Vso
2008-12-26 21:53 . 2008-12-26 21:53 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-26 21:53 . 2008-12-26 21:53 47,360 --a------ c:\documents and settings\Owner\Application Data\pcouffin.sys
2008-12-26 21:48 . 2008-12-26 21:48 <DIR> d-------- c:\program files\DVD Shrink
2008-12-26 21:48 . 2008-12-26 21:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-26 21:31 . 2008-12-26 21:37 <DIR> d-------- c:\program files\lg_fwupdate
2008-12-26 21:31 . 1998-06-24 00:00 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-12-26 21:31 . 1998-07-22 00:00 102,912 --a------ c:\windows\system32\Vb6stkit.dll
2008-12-26 21:31 . 1998-07-22 00:00 102,160 --a------ c:\windows\system32\VB6KO.DLL
2008-12-26 21:31 . 2006-02-17 14:19 16,384 --a------ c:\windows\system32\lgfwunis.exe
2008-12-26 21:31 . 2008-12-26 21:38 319 --a------ c:\windows\lgfwup.ini
2008-12-26 21:27 . 2008-12-26 21:27 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-12-26 21:22 . 2009-01-04 20:52 <DIR> d-------- C:\MyWorks
2008-12-26 21:22 . 2004-10-01 15:00 40,960 --a------ c:\program files\Uninstall_CDS.exe
2008-12-26 21:21 . 2009-01-04 00:10 <DIR> d-------- c:\program files\CyberLink DVD Solution
2008-12-23 11:08 . 2008-12-23 11:09 <DIR> d-------- c:\program files\iTunes
2008-12-23 11:08 . 2008-12-23 11:08 <DIR> d-------- c:\program files\iPod
2008-12-23 11:08 . 2008-12-23 11:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-20 23:26 . 2008-12-20 23:26 <DIR> d-------- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite
2008-12-20 23:26 . 2008-12-20 23:26 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-12-07 23:12 . 2008-12-07 23:12 <DIR> d-------- c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-07 23:11 . 2008-12-23 11:56 <DIR> d-------- c:\program files\Yahoo!
2008-12-07 23:11 . 2008-12-23 00:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-06 11:00 . 2008-12-06 11:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 14:37 --------- d-----w c:\program files\uTorrent
2009-01-06 14:36 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-06 03:26 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-04 05:10 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-27 08:10 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-27 03:33 --------- d-----w c:\program files\McAfee
2008-12-27 03:33 --------- d-----w c:\program files\Common Files\McAfee
2008-12-27 02:22 --------- d-----w c:\program files\CyberLink
2008-12-23 16:08 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 16:03 --------- d-----w c:\program files\QuickTime
2008-12-12 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 16:02 --------- d-----w c:\program files\AIM6
2008-12-06 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-27 17:33 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-20 18:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-06-04 22:48 256 -c--a-w c:\documents and settings\Owner\pool.bin
1601-01-01 00:12 35,840 -csha-w c:\windows\system32\fobigipo.dll
1601-01-01 00:12 22,528 --sha-w c:\windows\system32\lesozese.dll
1601-01-01 00:12 102,400 -csha-w c:\windows\system32\merilaro.dll
1601-01-01 00:12 16,384 --sha-w c:\windows\system32\metigime.dll
2008-08-19 16:37 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_10.12.55.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-02 23:04:30 1,425,499 ----a-w c:\windows\system32\AegisE5.dll
+ 2005-12-15 15:38:48 315,392 ----a-w c:\windows\system32\AegisI5.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2005-08-23 1110079]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2005-08-23 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-22 185896]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Belkin Wireless Client Utility.lnk - c:\program files\Belkin\F5D9050\Belkinwcui.exe [2006-12-01 1585152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ KSU CISCO VPN Client.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-22 18:57 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1212465230\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Call Graph\\CallGraph.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\VCdRom.sys --> c:\windows\system32\VCdRom.sys [?]
S3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\F5D9050\BKNDIS5.SYS --> c:\progra~1\Belkin\F5D9050\BKNDIS5.SYS [?]
S3 S3chipid;S3chipid;\??\c:\docume~1\Owner\LOCALS~1\Temp\{2B43252C-A1E3-4C47-927C-9F2C276D3515}\S3chipid.sys --> c:\docume~1\Owner\LOCALS~1\Temp\{2B43252C-A1E3-4C47-927C-9F2C276D3515}\S3chipid.sys [?]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7d77d28-d92a-11dd-9454-001150e29773}]
\Shell\AutoRun\command - k:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-06 c:\windows\Tasks\At1.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At10.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At11.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At12.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At13.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At14.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At15.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At16.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At17.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At18.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-05 c:\windows\Tasks\At19.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At2.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At20.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At21.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At22.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At23.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At24.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At3.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At4.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At5.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At6.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At7.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At8.job
- c:\windows\system32\cLjq2d75.exe []

2009-01-06 c:\windows\Tasks\At9.job
- c:\windows\system32\cLjq2d75.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://windiwsfsearch.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = hxxp://windiwsfsearch.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
TCP: {7AFEA2E8-348C-41F5-B044-350B84C7D155} = 65.24.7.10,65.24.7.11
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\b9pbcj7t.default\
FF - prefs.js: browser.startup.homepage - hxxp://flashmail.kent.edu
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\b9pbcj7t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 11:41:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-06 11:43:01
ComboFix-quarantined-files.txt 2009-01-06 16:42:25
ComboFix2.txt 2009-01-06 15:13:58

Pre-Run: 85,514,842,112 bytes free
Post-Run: 85,507,051,520 bytes free

279 --- E O F --- 2008-12-18 00:24:53

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42, on 2009-01-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\KSU CISCO VPN Client\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\system32\CF11997.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\ComboFix\pv.cfexe
C:\ComboFix\Catchme.tmp

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Client Utility.lnk = C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AFEA2E8-348C-41F5-B044-350B84C7D155}: NameServer = 65.24.7.10,65.24.7.11
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: KSU CISCO VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\KSU CISCO VPN Client\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 11375 bytes

Thread: I also need help with Vundo

Thread Tools

Display

I also need help with Vundo

Posting Permissions