Virtumonde as usual

Twose · Dec 15, 2008

Spybot search and destroy sent me here for Virtumonde.I usually let antispy/malware take care of my problems, and this is the first time I've ever had anything as pervasive as Virtumonde, please help me get rid of it.

I've tried to follow the protocol in posting the Hijack This's Log, if I'm not doing something right let me know.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:58 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.wikipedia.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.wikipedia.org
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214934510526
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: crsldy.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WindowsCOM++ - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se082.exe (file missing)
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 6231 bytes

Thanks

katana · Dec 20, 2008

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Twose · Dec 20, 2008

First one:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Joseph at 2008-12-20 11:37:24
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 6 GB (8%) free of 73 GB
Total RAM: 1022 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:35, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Joseph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Joseph\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joseph\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joseph\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joseph\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Joseph.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5E95ED8A-81BB-4100-BD93-60BB14E97048} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A028B5B-5A6D-4C92-B76B-59213DDB28AF} - C:\WINDOWS\system32\mlJyYSlL.dll
O2 - BHO: (no name) - {A755A394-7DE6-4BDD-B7B8-87C4A134B5B4} - (no file)
O2 - BHO: (no name) - {F93E5F1D-5808-49A0-B70E-E2E644EF8484} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Joseph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214934510526
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: trglvr.dll anmyvz.dll wgkisv.dll cscwmi.dll fikpwl.dll
O20 - Winlogon Notify: bYoNfffE - bYoNfffE.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WindowsCOM++ - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se082.exe (file missing)
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 7302 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
C:\WINDOWS\tasks\sytgalgt.job
C:\WINDOWS\tasks\XoftSpy.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E95ED8A-81BB-4100-BD93-60BB14E97048}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A028B5B-5A6D-4C92-B76B-59213DDB28AF}]
C:\WINDOWS\system32\mlJyYSlL.dll [2008-12-13 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A755A394-7DE6-4BDD-B7B8-87C4A134B5B4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F93E5F1D-5808-49A0-B70E-E2E644EF8484}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"QBReminderFlash"=C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe []
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe -atboottime []
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"FinePrint Dispatcher v5"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe [2006-06-13 499712]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2006-06-21 35328]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [2006-09-25 90112]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-14 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-10-14 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-10-14 114688]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-10-09 981904]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-06-01 94208]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"Eraser"=C:\Program Files\Eraser\eraser.exe [2006-08-07 634880]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"Aim6"= []
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]
"Google Update"=C:\Documents and Settings\Joseph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-15 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="trglvr.dll anmyvz.dll wgkisv.dll cscwmi.dll fikpwl.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-12-16 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bYoNfffE]
bYoNfffE.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-10-14 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\mlJyYSlL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*

isabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*

isabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*

isabled:AOL"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*

isabled:Yahoo! FT Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Documents and Settings\Joseph\Desktop\chiputil1.exe"="C:\Documents and Settings\Joseph\Desktop\chiputil1.exe:*:Enabled:ChipUtil"
"C:\UnrealTournament\System\UnrealTournament.exe"="C:\UnrealTournament\System\UnrealTournament.exe:*:Enabled:UnrealTournament"
"C:\123\hl2.exe"="C:\123\hl2.exe:*

isabled:hl2"
"C:\Halflife\hl2.exe"="C:\Halflife\hl2.exe:*

isabled:hl2"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Diablo\diablo.exe"="C:\Diablo\diablo.exe:*:Enabled

iablo"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Copy of mIRC\mirc.exe"="C:\Program Files\Copy of mIRC\mirc.exe:*:Enabled:mIRC"
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe"="C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdd5eaac-37cc-11dd-a902-000f66f3a9a2}]
shell\Auto\command - F:\Se082.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Se082.exe

======List of files/folders created in the last 1 months======

2008-12-20 11:37:24 ----DC---- C:\rsit
2008-12-19 12:19:20 ----SH---- C:\WINDOWS\system32\fgvfeiag.ini
2008-12-19 12:19:19 ----A---- C:\WINDOWS\system32\gaiefvgf.dll
2008-12-19 12:10:20 ----A---- C:\WINDOWS\system32\fikpwl.dll
2008-12-19 12:10:19 ----A---- C:\WINDOWS\system32\mcskjelo.dll
2008-12-18 12:16:19 ----A---- C:\WINDOWS\system32\uiddbeiu.dll
2008-12-18 12:10:24 ----SH---- C:\WINDOWS\system32\bdutukfl.ini
2008-12-17 11:04:19 ----SH---- C:\WINDOWS\system32\owhfakqu.ini
2008-12-17 11:01:18 ----A---- C:\WINDOWS\system32\ltqvfbbe.dll
2008-12-16 10:58:17 ----SH---- C:\WINDOWS\system32\lcwekbvv.ini
2008-12-16 10:52:50 ----A---- C:\WINDOWS\system32\qttxmpwe.dll
2008-12-16 08:34:19 ----ASH---- C:\WINDOWS\system32\LlSYyJlm.ini2
2008-12-16 08:11:33 ----A---- C:\WINDOWS\system32\tmp.txt
2008-12-16 08:11:21 ----AC---- C:\rapport.txt
2008-12-16 08:06:55 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2008-12-16 08:06:54 ----A---- C:\WINDOWS\system32\o4Patch.exe
2008-12-16 08:06:53 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2008-12-16 08:06:52 ----A---- C:\WINDOWS\system32\VACFix.exe
2008-12-16 08:06:52 ----A---- C:\WINDOWS\system32\404Fix.exe
2008-12-16 08:06:51 ----A---- C:\WINDOWS\system32\IEDFix.exe
2008-12-16 08:06:50 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2008-12-16 08:06:50 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2008-12-16 08:06:50 ----A---- C:\WINDOWS\system32\swxcacls.exe
2008-12-16 08:06:49 ----A---- C:\WINDOWS\system32\swsc.exe
2008-12-16 08:06:49 ----A---- C:\WINDOWS\system32\swreg.exe
2008-12-16 08:06:49 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2008-12-16 08:06:49 ----A---- C:\WINDOWS\system32\Process.exe
2008-12-16 08:06:49 ----A---- C:\WINDOWS\system32\dumphive.exe
2008-12-15 14:52:33 ----D---- C:\Program Files\Strategy First
2008-12-15 10:57:57 ----A---- C:\WINDOWS\system32\njqmfamh.dll
2008-12-15 10:52:12 ----A---- C:\WINDOWS\system32\trglvr.dll
2008-12-15 10:52:11 ----A---- C:\WINDOWS\system32\knkrjigo.dll
2008-12-14 18:46:41 ----D---- C:\Program Files\Trend Micro
2008-12-14 16:30:24 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-14 16:30:24 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 15:07:21 ----D---- C:\Documents and Settings\Joseph\Application Data\MailFrontier
2008-12-14 14:48:16 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-14 11:59:30 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-14 11:59:06 ----D---- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-12-14 11:37:43 ----D---- C:\Program Files\Copy of mIRC
2008-12-13 21:37:49 ----A---- C:\WINDOWS\system32\nyrknrgm.dll
2008-12-13 21:37:49 ----A---- C:\WINDOWS\system32\crsldy.dll
2008-12-13 21:37:21 ----A---- C:\WINDOWS\system32\bba7cd08-.txt
2008-12-13 21:36:50 ----ASH---- C:\WINDOWS\system32\LlSYyJlm.ini
2008-12-13 21:36:47 ----A---- C:\WINDOWS\system32\mlJyYSlL.dll
2008-12-13 21:31:40 ----A---- C:\WINDOWS\system32\~.exe
2008-12-09 17:39:25 ----A---- C:\WINDOWS\system32\zpeng25.dll
2008-11-29 20:57:14 ----D---- C:\Documents and Settings\Joseph\Application Data\InstallShield

======List of files/folders modified in the last 1 months======

2008-12-20 11:37:35 ----D---- C:\WINDOWS\Prefetch
2008-12-20 11:34:56 ----D---- C:\WINDOWS
2008-12-20 11:34:10 ----D---- C:\WINDOWS\Temp
2008-12-20 11:33:31 ----D---- C:\WINDOWS\Internet Logs
2008-12-20 11:33:12 ----D---- C:\WINDOWS\system32
2008-12-20 11:32:11 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-20 11:31:41 ----D---- C:\Program Files\Eraser
2008-12-20 11:30:58 ----D---- C:\Documents and Settings\Joseph\Application Data\Skype
2008-12-20 10:42:48 ----AC---- C:\rollback.ini
2008-12-19 05:20:39 ----D---- C:\WINDOWS\system32\ZoneLabs
2008-12-18 13:16:33 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-18 12:11:05 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-17 20:26:46 ----D---- C:\Program Files\mIRC
2008-12-15 14:52:33 ----RD---- C:\Program Files
2008-12-15 14:47:22 ----D---- C:\Program Files\Mozilla Firefox
2008-12-15 11:26:10 ----SD---- C:\WINDOWS\Tasks
2008-12-14 16:53:41 ----A---- C:\WINDOWS\wininit.ini
2008-12-14 14:59:16 ----D---- C:\WINDOWS\system32\drivers
2008-12-14 14:39:30 ----SHD---- C:\WINDOWS\Installer
2008-12-14 11:58:57 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-14 11:46:58 ----D---- C:\Program Files\Yahoo!
2008-12-14 11:46:36 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-12-14 11:45:12 ----D---- C:\Program Files\Common Files
2008-12-14 11:43:39 ----D---- C:\Documents and Settings\Joseph\Application Data\Mozilla
2008-12-14 11:17:59 ----DC---- C:\Diablo
2008-12-12 15:13:14 ----D---- C:\Documents and Settings\Joseph\Application Data\OpenOffice.org2
2008-12-10 18:08:00 ----D---- C:\Documents and Settings\Joseph\Application Data\Azureus
2008-12-09 17:38:06 ----D---- C:\WINDOWS\WinSxS
2008-12-08 10:30:05 ----D---- C:\Program Files\Bullfrog
2008-12-08 10:26:24 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-06 11:37:15 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-05 09:27:03 ----D---- C:\Documents and Settings\Joseph\Application Data\Adobe
2008-12-05 06:39:04 ----A---- C:\WINDOWS\win.ini
2008-12-05 05:56:29 ----D---- C:\Program Files\XoftSpy
2008-11-29 20:57:37 ----D---- C:\Documents and Settings\Joseph\Application Data\My Games
2008-11-29 20:47:07 ----D---- C:\Program Files\Turbine
2008-11-22 03:09:25 ----HD---- C:\WINDOWS\inf
2008-11-21 16:11:11 ----RSHD---- C:\WINDOWS\system32\dllcache

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2008-09-18 148496]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-10-09 353680]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-12-16 1918464]
R3 ATIAVAIW;ATI T200 Unified AVStream service; C:\WINDOWS\system32\DRIVERS\atinavt2.sys [2006-12-05 168832]
R3 BCM43XX;Linksys Wireless-G PCI Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-12-22 369024]
R3 CA561;ICatch VI PC CAMERA; C:\WINDOWS\System32\Drivers\SPCA561.SYS [2004-11-29 122928]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 aa1k3mvl;aa1k3mvl; C:\WINDOWS\system32\drivers\aa1k3mvl.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 dtscsi;dtscsi; C:\WINDOWS\System32\Drivers\dtscsi.sys []
S3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2005-06-13 162816]
S3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-10-14 1302812]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-13 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 MSW_USB;Microsoft Broadband Networking Wireless USB Driver; C:\WINDOWS\system32\DRIVERS\MSWUSB51.sys [2002-07-14 51712]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-12-16 434176]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-10-09 2405776]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-12-20 520192]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []
S2 WindowsCOM++;WindowsCOM++; C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se082.exe []
S2 WMP54GSSVC;WMP54GSSVC; C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-06-08 208896]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

Second One:

info.txt logfile of random's system information tool 1.05 2008-12-20 11:38:11

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
AIM 6-->C:\Program Files\AIM6\uninst.exe
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->MsiExec.exe /I{B7777E08-1344-42E8-975B-6F541F9ADBD8}
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class

ISPLAY -clean
Azureus-->C:\Program Files\Azureus\Uninstall.exe
Baldur's Gate(TM) II - Shadows of Amn(TM) Bonus CD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{014585C8-7557-11D4-9ABA-006067325E47}\setup.exe"
Baldur's Gate(TM) II - Throne of Bhaal (TM)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
Battle.net-->C:\WINDOWS\bnetunin.exe
CDisplay 1.8-->"C:\Program Files\CDisplay\unins000.exe"
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support 3.1-->MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
Diablo-->C:\WINDOWS\diabunin.exe
Disciples II Rise of the Elves-->C:\PROGRA~1\STRATE~1\DISCIP~1\UNWISE.EXE C:\PROGRA~1\STRATE~1\DISCIP~1\INSTALL.LOG
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Dungeon Keeper-->C:\WINDOWS\uninst.exe -fC:\WINDOWS\SYSTEM\KEEPER\DeIsL1.isu
Eraser 5.8-->"C:\Program Files\Eraser\unins000.exe"
Fallout2-->C:\WINDOWS\ipuninst.exe -fC:\Program Files\BlackIsle\Fallout2\uninst.log
FinePrint-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpinst5.exe /uninstall
Gaim (remove only)-->C:\Program Files\Gaim\gaim-uninst.exe
Galactic Civilizations II-->C:\PROGRA~1\Stardock\TOTALG~1\GalCiv2\UNWISE.EXE C:\PROGRA~1\Stardock\TOTALG~1\GalCiv2\INSTALL.LOG
GTK+ Runtime 2.10.7 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
Heroes of Might and Magic® III-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes3\Uninst.isu" -c"C:\Program Files\3DO\Heroes3\uninst.dll
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ICatch (VI) PC Camera-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}\setup.exe"
Intel(R) Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Intel(R) PROSet for Wired Connections-->MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Linksys Wireless-G PCI Network Adapter with SpeedBooster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
Linksys Wireless-G PCI Network Adapter with SpeedBooster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EAE4A00B-D290-4B65-8287-B82A80FC0619}\setup.exe" -l0x9
Macromedia Flash Player-->MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Master of Orion II-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Microprose\Orion2\DeIsL2.isu"
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (2.0.0.18)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero 7 Demo-->MsiExec.exe /I{692854CC-97EF-4307-B787-8C6787B91033}
OpenOffice.org 2.0-->MsiExec.exe /I{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}
Planescape - Torment-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Black Isle\Torment\Uninst.isu"
RollerCoaster Tycoon 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sid Meier's Alpha Centauri-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Firaxis Games\Sid Meier's Alpha Centauri\Uninst.isu"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft-->C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Stronghold Crusader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe" -l0x9
Stronghold-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C917BA70-28A3-4C74-B163-41FD8C8E1A5A}\setup.exe" -l0x9
The Deeper Dungeons-->C:\WINDOWS\uninst.exe -fC:\WINDOWS\BULLFROG\DEEPER\DeIsL2.isu
Treasure Generator 2.10-->C:\WINDOWS\unvise32.exe C:\Program Files\JamisBuck\Treasure\uninstal.log
Unreal Tournament G.O.T.Y. Edition-->C:\UnrealTournament\System\Setup.exe uninstall "UnrealTournament"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
XoftSpy-->C:\Program Files\XoftSpy\uninstall.exe
ZoneAlarm Security Suite-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Security center information======

AV: ZoneAlarm Security Suite Antivirus
AV: McAfee VirusScan
FW: (disabled)
FW: ZoneAlarm Security Suite Firewall

System event log

Computer Name: TERROR_MACHINE
Event Code: 62486
Message: Invalid parameters

Record Number: 47785
Source Name: ati2mtag
Time Written: 20081114022600.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 62486
Message: Invalid parameters

Record Number: 47784
Source Name: ati2mtag
Time Written: 20081114022600.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 62486
Message: Invalid parameters

Record Number: 47783
Source Name: ati2mtag
Time Written: 20081114022600.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 62486
Message: Invalid parameters

Record Number: 47782
Source Name: ati2mtag
Time Written: 20081114022600.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 62486
Message: Invalid parameters

Record Number: 47781
Source Name: ati2mtag
Time Written: 20081114022600.000000-480
Event Type: information
User:

Application event log

Computer Name: TERROR_MACHINE
Event Code: 0
Message:
Record Number: 4060
Source Name: Viewpoint Manager Service
Time Written: 20081115202754.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 105
Message: The service was started.

Record Number: 4059
Source Name: ATI Smart
Time Written: 20081115202749.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 701
Message: MsnMsgr (3232) Online defragmentation has completed a full pass on database '\\.\C:\Documents and Settings\Joseph\Local Settings\Application Data\Microsoft\Messenger\sracsux@hotmail.com\SharingMetadata\Working\database_BAB0_8445_B084_9D9\dfsr.db'.

Record Number: 4058
Source Name: ESENT
Time Written: 20081115200012.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 700
Message: MsnMsgr (3232) Online defragmentation is beginning a full pass on database '\\.\C:\Documents and Settings\Joseph\Local Settings\Application Data\Microsoft\Messenger\sracsux@hotmail.com\SharingMetadata\Working\database_BAB0_8445_B084_9D9\dfsr.db'.

Record Number: 4057
Source Name: ESENT
Time Written: 20081115200012.000000-480
Event Type: information
User:

Computer Name: TERROR_MACHINE
Event Code: 701
Message: MsnMsgr (3232) Online defragmentation has completed a full pass on database '\\.\C:\Documents and Settings\Joseph\Local Settings\Application Data\Microsoft\Messenger\sracsux@hotmail.com\SharingMetadata\Working\database_BAB0_8445_B084_9D9\dfsr.db'.

Record Number: 4056
Source Name: ESENT
Time Written: 20081115190012.000000-480
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\ATI Technologies\ATI.ACE\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
"tvdumpflags"=8

-----------------EOF-----------------

I'm not too upset at all, I saw how busy the forums are, I'm appreciative you got to me at all =) Thank you!

katana · Dec 20, 2008

Disable Teatimer
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Twose · Dec 21, 2008

Okay, so far so good, Malwarebytes first:

Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 3

12/20/2008 7:53:54 PM
mbam-log-2008-12-20 (19-53-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 120278
Time elapsed: 53 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mlJyYSlL.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\trglvr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fikpwl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hctoph.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6596cee3-768c-4aaa-b816-98028f6c787b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6596cee3-768c-4aaa-b816-98028f6c787b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{da0f9900-cbbb-4ece-9804-94e12a9d6924} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{da0f9900-cbbb-4ece-9804-94e12a9d6924} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b1dec9a-4994-48e1-b416-7a5cd693a295} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b1dec9a-4994-48e1-b416-7a5cd693a295} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{027e2c19-2635-4d57-82c6-a32b0814ce10} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mljyysll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljyysll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mlJyYSlL.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\LlSYyJlm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LlSYyJlm.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\btxwdjai.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iajdwxtb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaiefvgf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fgvfeiag.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trglvr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fikpwl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hctoph.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Joseph\Local Settings\Temporary Internet Files\Content.IE5\8W4B6H27\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joseph\Local Settings\Temporary Internet Files\Content.IE5\DCV3MVY3\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joseph\Local Settings\Temporary Internet Files\Content.IE5\I3HR4KXS\upd105320[2] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP623\A0219429.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP623\A0219443.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP623\A0219444.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ltqvfbbe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcskjelo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njqmfamh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\knkrjigo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nyrknrgm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crsldy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uekkrvys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uiddbeiu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qttxmpwe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv671229210867.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Adware.Agent) -> Quarantined and deleted successfully.

Combofix:
ComboFix 08-12-20.03 - Joseph 2008-12-20 20:11:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.641 [GMT -8:00]
Running from: c:\documents and settings\Joseph\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joseph\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\bdutukfl.ini
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lcwekbvv.ini
c:\windows\system32\owhfakqu.ini
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\sytgalgt.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-20 18:17 . 2008-12-20 18:17 <DIR> d-------- c:\documents and settings\Joseph\Application Data\Malwarebytes
2008-12-20 18:16 . 2008-12-20 18:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-20 18:16 . 2008-12-20 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 18:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 18:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 11:37 . 2008-12-20 11:38 <DIR> d----c--- C:\rsit
2008-12-16 08:06 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-15 14:52 . 2008-12-15 14:58 <DIR> d-------- c:\program files\Strategy First
2008-12-14 18:46 . 2008-12-14 18:46 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 16:30 . 2008-12-14 16:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 16:30 . 2008-12-14 16:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 15:07 . 2008-12-14 15:07 <DIR> d-------- c:\documents and settings\Joseph\Application Data\MailFrontier
2008-12-14 14:59 . 2008-12-20 20:18 53,586,208 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-14 14:59 . 2008-12-20 20:15 717,980 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-14 11:59 . 2008-12-14 11:59 <DIR> d-------- c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-12-14 11:59 . 2008-12-14 12:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-14 11:37 . 2008-12-14 17:13 <DIR> d-------- c:\program files\Copy of mIRC
2008-12-14 10:41 . 2008-12-14 10:41 66,936 --ahs---- c:\windows\dlinfo_0.drv
2008-12-09 17:39 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-29 20:57 . 2008-11-29 20:57 <DIR> d-------- c:\documents and settings\Joseph\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 04:15 --------- d-----w c:\program files\Eraser
2008-12-20 19:30 --------- d-----w c:\documents and settings\Joseph\Application Data\Skype
2008-12-18 04:26 --------- d-----w c:\program files\mIRC
2008-12-14 19:58 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-14 19:46 --------- d-----w c:\program files\Yahoo!
2008-12-14 19:46 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-12 23:13 --------- d-----w c:\documents and settings\Joseph\Application Data\OpenOffice.org2
2008-12-11 02:08 --------- d-----w c:\documents and settings\Joseph\Application Data\Azureus
2008-12-08 18:30 --------- d-----w c:\program files\Bullfrog
2008-12-08 18:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 13:56 --------- d-----w c:\program files\XoftSpy
2008-11-30 04:57 --------- d-----w c:\documents and settings\Joseph\Application Data\My Games
2008-11-30 04:47 --------- d-----w c:\program files\Turbine
2008-11-16 04:35 --------- d-----w c:\documents and settings\Joseph\Application Data\skypePM
2008-11-12 09:39 --------- d-----w c:\documents and settings\Joseph\Application Data\Viewpoint
2008-11-11 01:29 --------- d-----w c:\program files\Black Isle
2008-11-11 01:22 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-11 01:16 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-11 01:16 --------- d-----w c:\documents and settings\Joseph\Application Data\DAEMON Tools
2008-11-09 22:16 --------- d-----w c:\program files\Skype
2008-11-09 22:16 --------- d-----w c:\program files\Common Files\Skype
2008-11-09 22:16 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-31 00:29 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 07:10 --------- d-----w c:\program files\World of Warcraft
2008-10-09 22:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-30 17:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-30 17:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-30 17:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-30 17:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-30 17:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-04-02 03:58 304,128 --sha-w c:\windows\system32\_Se082.exe
2008-07-01 23:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070120080702\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Eraser"="c:\program files\Eraser\eraser.exe" [2006-08-07 634880]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Google Update"="c:\documents and settings\Joseph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-15 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-13 499712]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2007-01-16 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Diablo\\diablo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Copy of mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S2 WindowsCOM++;WindowsCOM++;c:\program files\Common Files\Microsoft Shared\MSINFO\Se082.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdd5eaac-37cc-11dd-a902-000f66f3a9a2}]
\Shell\Auto\command - F:\Se082.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Se082.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-21 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Joseph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-15 11:26]

2006-06-27 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2007-04-26 14:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5E95ED8A-81BB-4100-BD93-60BB14E97048} - (no file)
BHO-{A755A394-7DE6-4BDD-B7B8-87C4A134B5B4} - (no file)
BHO-{F93E5F1D-5808-49A0-B70E-E2E644EF8484} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-QBReminderFlash - c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
Notify-bYoNfffE - bYoNfffE.dll

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\7nt6um7g.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 20:17:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-20 20:20:43 - machine was rebooted [Joseph]
ComboFix-quarantined-files.txt 2008-12-21 04:20:39

Pre-Run: 5,786,730,496 bytes free
Post-Run: 5,861,502,976 bytes free

186 --- E O F --- 2008-11-20 16:29:26

katana · Dec 21, 2008

Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.
Flash Disinfector by sUBs
Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

Please restart your computer.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\_Se082.exe
Folder::
Driver::
Viewpoint Manager Service
WindowsCOM++
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdd5eaac-37cc-11dd-a902-000f66f3a9a2}]
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Twose · Dec 22, 2008

Wow, you weren't kidding about the length of that scan, here are the results:

ComboFix 08-12-20.03 - Joseph 2008-12-21 16:21:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -8:00]
Running from: c:\documents and settings\Joseph\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joseph\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\_Se082.exe
c:\windows\system32\Agent.OMZ.Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_Se082.exe
c:\windows\system32\Agent.OMZ.Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Legacy_WINDOWSCOM++
-------\Service_Viewpoint Manager Service
-------\Service_WindowsCOM++

((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-20 18:17 . 2008-12-20 18:17 <DIR> d-------- c:\documents and settings\Joseph\Application Data\Malwarebytes
2008-12-20 18:16 . 2008-12-20 18:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-20 18:16 . 2008-12-20 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 18:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 18:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 11:37 . 2008-12-20 11:38 <DIR> d----c--- C:\rsit
2008-12-15 14:52 . 2008-12-15 14:58 <DIR> d-------- c:\program files\Strategy First
2008-12-14 18:46 . 2008-12-14 18:46 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 16:30 . 2008-12-14 16:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 16:30 . 2008-12-14 16:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 15:07 . 2008-12-14 15:07 <DIR> d-------- c:\documents and settings\Joseph\Application Data\MailFrontier
2008-12-14 14:59 . 2008-12-21 16:27 57,030,432 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-14 14:59 . 2008-12-21 16:24 764,516 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-14 11:59 . 2008-12-14 11:59 <DIR> d-------- c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-12-14 11:59 . 2008-12-14 12:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-14 11:37 . 2008-12-14 17:13 <DIR> d-------- c:\program files\Copy of mIRC
2008-12-14 10:41 . 2008-12-14 10:41 66,936 --ahs---- c:\windows\dlinfo_0.drv
2008-12-09 17:39 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-29 20:57 . 2008-11-29 20:57 <DIR> d-------- c:\documents and settings\Joseph\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 00:27 --------- d-----w c:\program files\Eraser
2008-12-20 19:33 2,181,413 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2008-12-20 19:30 --------- d-----w c:\documents and settings\Joseph\Application Data\Skype
2008-12-20 16:44 155,589 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_20_08_44_40_small.dmp.zip
2008-12-18 04:26 --------- d-----w c:\program files\mIRC
2008-12-14 23:05 86,489 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_59_32_small.dmp.zip
2008-12-14 22:59 11,776 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-12-14 22:59 1,830,912 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-12-14 22:51 46,947 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_43_12_small.dmp.zip
2008-12-14 22:51 46,052 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_43_10_small.dmp.zip
2008-12-14 22:51 45,800 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_43_14_small.dmp.zip
2008-12-14 22:51 15,226,700 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_43_04_full.dmp.zip
2008-12-14 22:49 46,471 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_42_37_small.dmp.zip
2008-12-14 22:49 46,179 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_42_46_small.dmp.zip
2008-12-14 22:49 46,088 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_42_48_small.dmp.zip
2008-12-14 22:49 45,875 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_14_42_39_small.dmp.zip
2008-12-14 22:41 12,800 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-12-14 22:41 10,240 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-14 19:58 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-14 19:46 --------- d-----w c:\program files\Yahoo!
2008-12-14 19:46 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-12 23:13 --------- d-----w c:\documents and settings\Joseph\Application Data\OpenOffice.org2
2008-12-11 02:08 --------- d-----w c:\documents and settings\Joseph\Application Data\Azureus
2008-12-08 18:30 --------- d-----w c:\program files\Bullfrog
2008-12-08 18:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 13:56 --------- d-----w c:\program files\XoftSpy
2008-11-30 04:57 --------- d-----w c:\documents and settings\Joseph\Application Data\My Games
2008-11-30 04:47 --------- d-----w c:\program files\Turbine
2008-11-16 04:35 --------- d-----w c:\documents and settings\Joseph\Application Data\skypePM
2008-11-16 04:28 2,136,064 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-11-16 04:28 1,537,536 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-11-12 09:39 --------- d-----w c:\documents and settings\Joseph\Application Data\Viewpoint
2008-11-11 01:29 --------- d-----w c:\program files\Black Isle
2008-11-11 01:22 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-11 01:16 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-11 01:16 --------- d-----w c:\documents and settings\Joseph\Application Data\DAEMON Tools
2008-11-09 22:16 --------- d-----w c:\program files\Skype
2008-11-09 22:16 --------- d-----w c:\program files\Common Files\Skype
2008-11-09 22:16 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-31 00:29 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-09 22:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 07:43 1,934,848 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-09-24 09:30 1,933,824 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-09-22 01:08 244,224 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-10-30 17:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-30 17:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-30 17:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-30 17:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-30 17:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-07-01 23:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070120080702\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_20.20.09.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-21 04:00:19 63,016 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-22 00:18:49 63,016 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-21 04:00:19 402,406 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-22 00:18:49 402,406 ----a-w c:\windows\system32\perfh009.dat
- 2008-12-21 04:18:35 417,996 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-12-22 00:25:52 422,952 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-12-21 03:03:57 1,548,288 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-12-21 11:20:32 1,944,576 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Eraser"="c:\program files\Eraser\eraser.exe" [2006-08-07 634880]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Google Update"="c:\documents and settings\Joseph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-15 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-13 499712]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2007-01-16 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Diablo\\diablo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Copy of mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-12-21 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Joseph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-15 11:26]

2006-06-27 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2007-04-26 14:39]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\7nt6um7g.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 16:25:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-21 16:29:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 00:29:30
ComboFix2.txt 2008-12-21 04:20:44

Pre-Run: 5,731,815,424 bytes free
Post-Run: 5,721,645,056 bytes free

220 --- E O F --- 2008-12-21 20:43:26

Kapersky Online scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 21, 2008 21:13:33
Records in database: 1497331
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 68890
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 06:22:03

No malware has been detected. The scan area is clean.

The selected area was scanned.

katana · Dec 22, 2008

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Enable Teatimer

RIGHT click Link >>> HERE <<< Link and select "save as" and save it to your desktop
Double click ResetTeaTimer.bat
Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
check the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
You can now delete ResetTeaTimer.bat

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Twose · Dec 22, 2008

Everything seems to be fine, and I've added Winpatrol to my computer. I really appreciate all the time you've put in to helping me, so I'm going to donate. Thank you sincerely, have a wonderful day.

Virtumonde as usual

Twose

New member

katana

Security Expert-Emeritus

Twose

New member

katana

Security Expert-Emeritus

Twose

New member

katana

Security Expert-Emeritus

Twose

New member

katana

Security Expert-Emeritus

Twose

New member