Virtumonde.prx...D:

CeruleanSkyX · Dec 15, 2008

Hello, I've already read the "Before you Post" thread and I'm requesting some assistance on how to get rid of Virtumonde.prx and a question about that spyware. I've have also scanned my computer many times with spybot, malware, ad-adware but it comes back each time. :sad: And my question is it possible that this spyware can effect someone's email address?

Here's my Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:44 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\WINPENJR\win32\AcrEmChk.exe
D:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=D:\WINDOWS\system32\jkhfc.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36ee258a-7001-4d6b-ae9a-3126e4523625} - D:\WINDOWS\system32\zezufizi.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {B9557C96-7F76-4644-AAE6-3A32F7EB4BAB} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CPMf79c3322] Rundll32.exe "d:\windows\system32\tahalopu.dll",a
O4 - HKLM\..\Run: [bejozuseto] Rundll32.exe "D:\WINDOWS\system32\badosuvu.dll",s
O4 - HKCU\..\Run: [Custom.exe] D:\Program Files\WINPENJR\win32\Custom.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PenPower Email Touchpad.lnk = D:\Program Files\WINPENJR\win32\AcrEmChk.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = D:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - AppInit_DLLs: d:\windows\system32\tahalopu.dll,D:\WINDOWS\system32\janebone.dll
O20 - Winlogon Notify: ddccccb - ddccccb.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\tahalopu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\tahalopu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - D:\Program Files\Internet Tracks Washer\washservice.exe (file missing)

--
End of file - 7639 bytes

katana · Dec 20, 2008

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

CeruleanSkyX · Dec 20, 2008

Thank you very much for taking your time to help me and I do understand that I'm not the only one having problems and that it might take awhile, but it sure is worth the wait! And Here's my Log.txt:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Kinh Tran at 2008-12-20 14:01:48
Microsoft Windows XP Professional Service Pack 3
System drive D: has 3 GB (9%) free of 30 GB
Total RAM: 255 MB (5% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:34 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\WINPENJR\win32\AcrEmChk.exe
D:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Kinh Tran\Desktop\RSIT.exe
D:\Program Files\Trend Micro\HijackThis\Kinh Tran.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=D:\WINDOWS\system32\jkhfc.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36ee258a-7001-4d6b-ae9a-3126e4523625} - D:\WINDOWS\system32\negonito.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {B9557C96-7F76-4644-AAE6-3A32F7EB4BAB} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bejozuseto] Rundll32.exe "D:\WINDOWS\system32\higihape.dll",s
O4 - HKLM\..\Run: [CPMf79c3322] Rundll32.exe "d:\windows\system32\napigowu.dll",a
O4 - HKCU\..\Run: [Custom.exe] D:\Program Files\WINPENJR\win32\Custom.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5316] command /c del "d:\windows\system32\hajegiwa.dll_old"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PenPower Email Touchpad.lnk = D:\Program Files\WINPENJR\win32\AcrEmChk.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = D:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - AppInit_DLLs: D:\WINDOWS\system32\tomatofi.dll d:\windows\system32\napigowu.dll
O20 - Winlogon Notify: ddccccb - ddccccb.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\napigowu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\napigowu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - D:\Program Files\Internet Tracks Washer\washservice.exe (file missing)

--
End of file - 7850 bytes

======Scheduled tasks folder======

D:\WINDOWS\tasks\gumjhvap.job
D:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll [2007-12-18 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36ee258a-7001-4d6b-ae9a-3126e4523625}]
D:\WINDOWS\system32\negonito.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - D:\Program Files\Yahoo!\Common\yiesrvc.dll [2007-12-12 222448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - D:\Program Files\Java\jre6\bin\ssv.dll [2008-12-14 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - d:\program files\google\googletoolbar4.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - D:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll [2008-01-06 323568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B9557C96-7F76-4644-AAE6-3A32F7EB4BAB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! ¤u¨ã¦C - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll [2007-12-18 817936]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - d:\program files\google\googletoolbar4.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=D:\WINDOWS\system32\NvCpl.dll [2004-07-15 4112384]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=D:\WINDOWS\system32\NvMcTray.dll [2004-07-15 81920]
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE []
"!AVG Anti-Spyware"=D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [2008-04-08 6731312]
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2008-12-14 136600]
"iTunesHelper"=D:\Program Files\iTunes\iTunesHelper.exe [2006-10-30 256576]
"bejozuseto"=D:\WINDOWS\system32\higihape.dll [2008-09-16 62563]
"CPMf79c3322"=d:\windows\system32\napigowu.dll [2008-12-20 95845]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Custom.exe"=D:\Program Files\WINPENJR\win32\Custom.EXE [2007-02-01 77824]
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5316"=command /c del d:\windows\system32\hajegiwa.dll_old []

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PenPower Email Touchpad.lnk - D:\Program Files\WINPENJR\win32\AcrEmChk.exe
Smart Wizard Wireless Settings.lnk - D:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="D:\WINDOWS\system32\tomatofi.dll d:\windows\system32\napigowu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccccb]
ddccccb.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
D:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\napigowu.dll [2008-12-20 95845]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\napigowu.dll [2008-12-20 95845]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2007-05-30 79408]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=D:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
D:\WINDOWS\system32\tomatofi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"D:\Program Files\Starcraft\StarCraft.exe"="D:\Program Files\Starcraft\StarCraft.exe:*:Enabled:Starcraft"
"D:\Program Files\Messenger\msmsgs.exe"="D:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"D:\Program Files\Yahoo!\Messenger\YPager.exe"="D:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"D:\Program Files\Yahoo!\Messenger\YServer.exe"="D:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"D:\Program Files\Internet Explorer\IEXPLORE.EXE"="D:\Program Files\Internet Explorer\IEXPLORE.EXE:*

isabled:Internet Explorer"
"D:\Program Files\MSN Messenger\msnmsgr.exe"="D:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"
"D:\Program Files\AIM\aim.exe"="D:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"D:\Program Files\Common Files\AOL\Loader\aolload.exe"="D:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"D:\Program Files\Common Files\AOL\1124472680\ee\AOLServiceHost.exe"="D:\Program Files\Common Files\AOL\1124472680\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"D:\Documents and Settings\Kinh Tran\Desktop\Victoria stuff\anime_manga stuff ^ - ^\Fruits Basket stuff\Fruits Basket anime\Cardcaptor stuff\utorrent.exe"="D:\Documents and Settings\Kinh Tran\Desktop\Victoria stuff\anime_manga stuff ^ - ^\Fruits Basket stuff\Fruits Basket anime\Cardcaptor stuff\utorrent.exe:*:Enabled:utorrent"
"D:\Documents and Settings\Kinh Tran\Desktop\Victoria stuff\utorrent.exe"="D:\Documents and Settings\Kinh Tran\Desktop\Victoria stuff\utorrent.exe:*:Enabled:µTorrent"
"D:\Documents and Settings\Kinh Tran\Desktop\Victoria stuff\anime_manga stuff ^ - ^\Fruits Basket stuff\torrents\utorrent.exe"="D:\Documents and Settings\Kinh Tran\Desktop\Victoria stuff\anime_manga stuff ^ - ^\Fruits Basket stuff\torrents\utorrent.exe:*:Enabled:µTorrent"
"D:\Program Files\Common Files\AOL\1156894881\ee\aolsoftware.exe"="D:\Program Files\Common Files\AOL\1156894881\ee\aolsoftware.exe:*:Enabled:AOL Services"
"D:\Program Files\Common Files\AOL\1156894881\ee\aim6.exe"="D:\Program Files\Common Files\AOL\1156894881\ee\aim6.exe:*:Enabled:AIM"
"D:\Victoria stuff\anime_manga stuff ^ - ^\fruits basket stuff\torrents\utorrent.exe"="D:\Victoria stuff\anime_manga stuff ^ - ^\fruits basket stuff\torrents\utorrent.exe:*:Enabled:µTorrent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"D:\Program Files\Azureus\Azureus.exe"="D:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"D:\Documents and Settings\Kinh Tran\Desktop\utorrent.exe"="D:\Documents and Settings\Kinh Tran\Desktop\utorrent.exe:*:Enabled:µTorrent"
"D:\Program Files\Softnyx\Rakion\Bin\rakion.bin"="D:\Program Files\Softnyx\Rakion\Bin\rakion.bin:*:Enabled:rakion"
"D:\Program Files\ppfilm\jfCacheMgr.exe"="D:\Program Files\ppfilm\jfCacheMgr.exe:*:Enabled:jfCacheMgr(http://www.ppfilm.cn)"
"D:\Program Files\ppfilm\KmLiveUpdate.exe"="D:\Program Files\ppfilm\KmLiveUpdate.exe:*:Enabled:KmLiveUpdate(http://www.ppfilm.cn)"
"D:\Program Files\ppfilm\ppFilmPlayer.exe"="D:\Program Files\ppfilm\ppFilmPlayer.exe:*:Enabled

pFilmPlayer"
"D:\Nexon\MapleStory\MapleStory.exe"="D:\Nexon\MapleStory\MapleStory.exe:*:Enabled:MapleStory"
"D:\Program Files\mIRC\mirc.exe"="D:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"D:\Program Files\Windows CE Services\DccMan.exe"="D:\Program Files\Windows CE Services\DccMan.exe:*

isabled:Connection Manager"
"D:\Program Files\Mozilla Firefox\firefox.exe"="D:\Program Files\Mozilla Firefox\firefox.exe:*

isabled:Firefox"
"D:\Program Files\Windows CE Services\DCCMAN .EXE"="D:\Program Files\Windows CE Services\DCCMAN .EXE:*:Enabled:Connection Manager"
"D:\Program Files\ppfilm\jfCacheMgr .exe"="D:\Program Files\ppfilm\jfCacheMgr .exe:*:Enabled:?????????"
"D:\Program Files\ppfilm\jfCacheMgr .exe"="D:\Program Files\ppfilm\jfCacheMgr .exe:*:Enabled:?????????"
"D:\Program Files\Orbitdownloader\orbitnet.exe"="D:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled

2P service of Orbit Downloader"
"D:\Program Files\Free Music Zilla\FMZilla.exe"="D:\Program Files\Free Music Zilla\FMZilla.exe:*

isabled:FMZilla Module"
"D:\Program Files\Orbitdownloader\orbitdm.exe"="D:\Program Files\Orbitdownloader\orbitdm.exe:*

isabled:Orbit"
"D:\Program Files\ppfilm\jfCacheMgr .exe"="D:\Program Files\ppfilm\jfCacheMgr .exe:*:Enabled:?????????"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"D:\WINDOWS\explorer.exe"="D:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:TeaTimer"
"D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe:*:Enabled:avgas"
"D:\WINDOWS\system32\logonuiX.exe"="D:\WINDOWS\system32\logonuiX.exe:*:Enabled:logonuiX"
"D:\WINDOWS\system32\winlogon.exe"="D:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"D:\WINDOWS\system32\services.exe"="D:\WINDOWS\system32\services.exe:*:Enabled:services"
"D:\WINDOWS\system32\logonui.exe"="D:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"D:\Program Files\MSN Messenger\msnmsgr.exe"="D:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"
"D:\Program Files\AIM\aim.exe"="D:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"D:\Program Files\Common Files\AOL\1124472680\ee\AOLServiceHost.exe"="D:\Program Files\Common Files\AOL\1124472680\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"D:\Program Files\Common Files\AOL\Loader\aolload.exe"="D:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
shell\AutoRun\command - C:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e59835d-4e20-11dc-9e5a-00095bd326f2}]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48d9c57d-694a-11dc-9e5f-00095bd326f2}]
shell\AutoRun\command - E:\LaunchU3.exe -a

======File associations======

.js - open - NOTEPAD.EXE %1
.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2008-12-20 14:01:48 ----D---- D:\rsit
2008-12-20 13:55:03 ----SH---- D:\WINDOWS\system32\okavoyup.ini
2008-12-19 22:52:29 ----SH---- D:\WINDOWS\system32\ihaluvap.ini
2008-12-19 10:53:05 ----SH---- D:\WINDOWS\system32\ulilagur.ini
2008-12-18 22:04:51 ----SH---- D:\WINDOWS\system32\agisisit.ini
2008-12-18 10:04:58 ----SH---- D:\WINDOWS\system32\ebelabik.ini
2008-12-14 21:25:43 ----D---- D:\Program Files\Trend Micro
2008-12-14 19:40:21 ----A---- D:\WINDOWS\system32\javaws.exe
2008-12-14 19:40:21 ----A---- D:\WINDOWS\system32\javaw.exe
2008-12-14 19:40:21 ----A---- D:\WINDOWS\system32\java.exe
2008-12-14 19:40:21 ----A---- D:\WINDOWS\system32\deploytk.dll
2008-12-10 16:51:38 ----ASH---- D:\WINDOWS\system32\jejavaso.dll
2008-12-06 23:32:20 ----A---- D:\WINDOWS\wininit.ini
2008-12-06 20:46:36 ----D---- D:\Documents and Settings\All Users\Application Data\Innovative Solutions
2008-12-06 20:45:29 ----D---- D:\Program Files\Innovative Solutions
2008-12-06 19:40:41 ----A---- D:\WINDOWS\system32\STKIT432.DLL
2008-12-05 19:54:23 ----D---- D:\Program Files\Common Files\Wise Installation Wizard
2008-12-05 19:40:35 ----D---- D:\Program Files\CCleaner
2008-12-05 18:49:30 ----D---- D:\Program Files\XoftSpySE
2008-12-05 18:24:58 ----D---- D:\Program Files\PocketRAR
2008-12-05 18:23:46 ----D---- D:\Program Files\Common Files\Stardock
2008-12-04 19:40:45 ----A---- D:\WINDOWS\SchedLgU.Txt
2008-12-04 17:02:32 ----D---- D:\Documents and Settings\Kinh Tran\Application Data\Uniblue
2008-12-03 20:45:17 ----D---- D:\Documents and Settings\Kinh Tran\Application Data\AppleWorks
2008-12-02 21:34:28 ----A---- D:\WINDOWS\system32\wbbfon(2).dll
2008-12-02 21:33:38 ----A---- D:\WINDOWS\system32\7365458b-.txt
2008-12-02 21:16:16 ----A---- D:\WINDOWS\system32\TDSSrkivlyvf.dll
2008-12-02 21:16:10 ----A---- D:\WINDOWS\system32\TDSSyngjmcqa.dll
2008-12-02 21:16:09 ----A---- D:\WINDOWS\system32\TDSSwrtwrmqf.dll
2008-12-02 21:16:08 ----A---- D:\WINDOWS\system32\TDSSstgbvxct.dll
2008-12-02 21:14:53 ----A---- D:\WINDOWS\system32\TDSSyeavvdqu.dll
2008-12-02 21:14:18 ----A---- D:\WINDOWS\system32\pmnnoPge.dll
2008-12-02 21:13:57 ----A---- D:\WINDOWS\system32\gs73gfidgf.dll
2008-12-02 21:13:22 ----A---- D:\WINDOWS\system32\prunnet.exe
2008-11-28 18:30:08 ----HD---- D:\WINDOWS\PIF

======List of files/folders modified in the last 1 months======

2008-12-20 14:01:47 ----D---- D:\WINDOWS\Prefetch
2008-12-20 13:55:08 ----D---- D:\WINDOWS\system32
2008-12-20 13:54:58 ----ASH---- D:\WINDOWS\system32\puyovako.dll
2008-12-20 13:54:58 ----ASH---- D:\WINDOWS\system32\napigowu.dll
2008-12-20 13:53:57 ----D---- D:\Program Files\Mozilla Firefox
2008-12-20 00:52:59 ----SHD---- D:\WINDOWS\Installer
2008-12-19 23:00:02 ----D---- D:\WINDOWS\Temp
2008-12-19 22:52:21 ----N---- D:\WINDOWS\system32\pavulahi.dll
2008-12-19 22:52:21 ----ASH---- D:\WINDOWS\system32\vopuvemi.dll
2008-12-19 11:39:21 ----D---- D:\WINDOWS
2008-12-19 10:54:57 ----D---- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-19 10:53:00 ----N---- D:\WINDOWS\system32\rugalilu.dll
2008-12-19 10:53:00 ----ASH---- D:\WINDOWS\system32\mowukiwe.dll
2008-12-19 09:12:40 ----SD---- D:\WINDOWS\Tasks
2008-12-18 22:04:26 ----N---- D:\WINDOWS\system32\tisisiga.dll
2008-12-18 22:04:26 ----ASH---- D:\WINDOWS\system32\jekosefu.dll
2008-12-18 16:15:07 ----RSD---- D:\WINDOWS\assembly
2008-12-18 16:15:07 ----D---- D:\Config.Msi
2008-12-18 10:04:54 ----N---- D:\WINDOWS\system32\kibalebe.dll
2008-12-18 10:04:54 ----ASH---- D:\WINDOWS\system32\demoliyo.dll
2008-12-16 17:27:17 ----ASH---- D:\WINDOWS\system32\yulejoka.dll
2008-12-16 17:27:15 ----ASH---- D:\WINDOWS\system32\dorigome.dll
2008-12-14 21:25:43 ----AD---- D:\Program Files
2008-12-14 20:02:07 ----SHD---- D:\System Volume Information
2008-12-14 20:02:07 ----D---- D:\WINDOWS\system32\Restore
2008-12-14 19:39:03 ----D---- D:\Program Files\Java
2008-12-14 17:29:18 ----A---- D:\WINDOWS\system32\tahalopu.dll
2008-12-12 18:47:50 ----ASH---- D:\WINDOWS\system32\javibizo.dll
2008-12-11 13:41:33 ----ASH---- D:\WINDOWS\system32\wewedaka.dll
2008-12-10 22:40:20 ----ASH---- D:\WINDOWS\system32\zebigimi.dll
2008-12-10 22:40:20 ----ASH---- D:\WINDOWS\system32\nubagida.dll
2008-12-10 21:40:02 ----ASH---- D:\WINDOWS\system32\pepeyepu.dll
2008-12-10 21:40:02 ----ASH---- D:\WINDOWS\system32\nizuputa.dll
2008-12-10 20:39:47 ----ASH---- D:\WINDOWS\system32\wunuzima.dll
2008-12-10 19:04:45 ----ASH---- D:\WINDOWS\system32\lesorari.dll
2008-12-10 19:04:44 ----ASH---- D:\WINDOWS\system32\zesumozo.dll
2008-12-10 18:05:24 ----ASH---- D:\WINDOWS\system32\potiwesi.dll
2008-12-10 18:05:24 ----ASH---- D:\WINDOWS\system32\petaziwe.dll
2008-12-10 16:51:35 ----ASH---- D:\WINDOWS\system32\vasamazo.dll
2008-12-08 18:48:31 ----A---- D:\WINDOWS\LogonStudio.ini
2008-12-08 15:39:32 ----ASH---- D:\WINDOWS\system32\fubuhara.dll
2008-12-07 22:01:02 ----ASH---- D:\WINDOWS\system32\hofegope.dll
2008-12-06 23:31:46 ----D---- D:\Program Files\Enigma Software Group
2008-12-06 21:38:51 ----A---- D:\WINDOWS\system32\logonuiX.exe
2008-12-06 21:24:07 ----D---- D:\WINDOWS\system32\config
2008-12-06 20:47:46 ----D---- D:\Program Files\Spybot - Search & Destroy
2008-12-06 20:46:36 ----RSD---- D:\WINDOWS\Fonts
2008-12-06 20:01:27 ----ASH---- D:\WINDOWS\system32\biwifasi.dll
2008-12-05 19:55:05 ----D---- D:\WINDOWS\system32\drivers
2008-12-05 19:55:05 ----D---- D:\Program Files\Lavasoft
2008-12-05 19:54:23 ----AD---- D:\Program Files\Common Files
2008-12-05 19:51:07 ----D---- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-05 18:48:11 ----D---- D:\Documents and Settings\All Users\Application Data\Viewpoint
2008-12-05 18:46:50 ----D---- D:\Documents and Settings\Kinh Tran\Application Data\uTorrent
2008-12-05 18:25:25 ----D---- D:\WINDOWS\system32\wbem
2008-12-05 18:25:25 ----D---- D:\WINDOWS\Registration
2008-12-04 15:55:58 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2008-12-03 19:39:09 ----D---- D:\WINDOWS\Minidump
2008-12-03 19:39:09 ----D---- D:\WINDOWS\Debug
2008-12-02 21:29:59 ----A---- D:\WINDOWS\system32\PerfStringBackup.INI
2008-11-25 23:54:42 ----D---- D:\Documents and Settings\Kinh Tran\Application Data\U3

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; D:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2007-05-30 10872]
R2 mdmxsdk;mdmxsdk; D:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); D:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 E100B;Intel(R) PRO Adapter Driver; D:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 GEARAspiWDM;GEAR CDRom Filter; D:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 HidUsb;Microsoft HID Class Driver; D:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; D:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
R3 HSFHWBS2;HSFHWBS2; D:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
R3 MODEMCSA;Unimodem Streaming Filter Device; D:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; D:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; D:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-07-15 2459712]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; D:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
R3 usbhub;USB2 Enabled Hub; D:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; D:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter; D:\WINDOWS\system32\DRIVERS\wg121nd5.sys [2003-11-28 337216]
R3 winachsf;winachsf; D:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S1 kbdhid;Keyboard HID Driver; D:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 EagleNT;EagleNT; \??\D:\WINDOWS\system32\drivers\EagleNT.sys []
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; D:\WINDOWS\system32\DRIVERS\LMouKE.Sys []
S3 npkcrypt;npkcrypt; \??\D:\Documents and Settings\Kinh Tran\Desktop\programs\RebirthRO\npkcrypt.sys []
S3 NPPTNT2;NPPTNT2; \??\D:\WINDOWS\system32\npptNT2.sys []
S3 SMALUSB;Digital Camera Driver; D:\WINDOWS\system32\DRIVERS\smalidt.sys [2002-05-30 9344]
S3 usbccgp;Microsoft USB Generic Parent Driver; D:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; D:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; D:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; D:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; D:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 XDva202;XDva202; \??\D:\WINDOWS\system32\XDva202.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2007-05-30 312880]
R2 CCALib8;Canon Camera Access Library 8; D:\Program Files\Canon\CAL\CALMAIN.exe [2005-09-30 96341]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2008-12-14 152984]
R2 NVSvc;NVIDIA Display Driver Service; D:\WINDOWS\system32\nvsvc32.exe [2004-07-15 114755]
R2 WinDefend;Windows Defender; D:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod Service; D:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Updater Service; D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-25 138168]
S3 ose;Office Source Engine; D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; D:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WTWService;Windows Tracks Washer Registry Service; D:\Program Files\Internet Tracks Washer\washservice.exe []
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; D:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Viewpoint Manager Service;Viewpoint Manager Service; D:\Program Files\Viewpoint\Common\ViewpointService.exe []

-----------------EOF-----------------

CeruleanSkyX · Dec 20, 2008

Btw, sorry for not saying this at my other post but nice to meet you Katana.

and...
Here's my Info.txt:

info.txt logfile of random's system information tool 1.05 2008-12-20 14:03:47

======Uninstall list======

-->D:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->D:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 1.2 (Remove Only)-->"D:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX-->D:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->D:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5 Language Support-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Reader Japanese Fonts-->MsiExec.exe /I{AC76BA86-7AD7-5760-0000-705000000001}
Adobe Shockwave Player-->D:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Advanced Uninstaller PRO - Version 9-->"D:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\unins000.exe"
AOL Uninstaller (Choose which Products to Remove)-->D:\Program Files\Common Files\AOL\uninstaller.exe
AVG Anti-Spyware 7.5-->D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Canon Camera Access Library-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"D:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CCleaner (remove only)-->"D:\Program Files\CCleaner\uninst.exe"
Finale NotePad 2008-->D:\Program Files\Finale NotePad 2008\uninstallNP.exe
Google Toolbar for Internet Explorer-->regsvr32 /u /s "d:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2-->"D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"D:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"D:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"D:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"D:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
La Tale-->C:\Games\OGP\La Tale\Uninstall.exe
LanguageNow!-->D:\WINDOWS\IsUninst.exe -f"D:\Program Files\TLI\LanguageNow_T\Uninst.isu"
LogonStudio-->D:\PROGRA~1\WINCUS~1\LOGONS~1\UNWISE.EXE D:\PROGRA~1\WINCUS~1\LOGONS~1\INSTALL.LOG
Malwarebytes' Anti-Malware-->"D:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.5)-->D:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 6.2-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600205}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
NVIDIA Drivers-->D:\WINDOWS\system32\nvudisp.exe UninstallGUI
PenPowerJR-7.1-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{F7D53B02-2C51-4CF5-9A51-F7A6D658EA5A}\Setup.exe" -l0x9 -removeonly
Pocket RAR documentation-->D:\Program Files\PocketRAR\uninstall.exe
QuickTime-->MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer-->D:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RebirthRO Full-->"D:\WINDOWS\RebirthRO Full\uninstall.exe" "/U:C:\Program Files\RebirthRO\Uninstall\uninstall.xml"
Security Update for Windows Internet Explorer 7 (KB928090)-->"D:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"D:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"D:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"D:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"D:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"D:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"D:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"D:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"D:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"D:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"D:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"D:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"D:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"D:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"D:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"D:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"D:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"D:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"D:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"D:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"D:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"D:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"D:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"D:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"D:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"D:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"D:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"D:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"D:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"D:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"D:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"D:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"D:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft-->D:\WINDOWS\SCunin.exe D:\WINDOWS\SCunin.dat
Update for Windows XP (KB951072-v2)-->"D:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"D:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
WG121 Smart Wizard-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{410A2688-05B2-4B98-9A0D-44961FE78264}\Setup.exe"
WinAce Archiver-->"D:\Program Files\WinAce\SXUNINST.EXE" "D:\Program Files\WinAce\SXUNINST.INI"
Windows CE Services 2.2 (Remove Only)-->"D:\WINDOWS\UNINST.EXE" -f"D:\Program Files\Windows CE Services\DeIsL1.isu" -c"D:\Program Files\Windows CE Services\ceuninst.dll"
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"D:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"D:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"D:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"D:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"D:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! ¤u¨ã¦C-->D:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
Yahoo! Browser Services-->D:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager-->D:\WINDOWS\system32\regsvr32 /u D:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail-->D:\WINDOWS\system32\regsvr32 /u /s D:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Mail Quick Select Tool (PhotoMail)-->D:\PROGRA~1\Yahoo!\Common\unymb.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

System event log

Computer Name: KINHTRAN
Event Code: 4201
Message: The system detected that network adapter \DEVICE\TCPIP_{D07E3CC4-0450-417E-8A92-0BE23741EC28} was connected to the network,
and has initiated normal operation over the network adapter.

Record Number: 5016
Source Name: Tcpip
Time Written: 20081111105649.000000-480
Event Type: information
User:

Computer Name: KINHTRAN
Event Code: 4202
Message: The system detected that network adapter \DEVICE\TCPIP_{D07E3CC4-0450-417E-8A92-0BE23741EC28} was disconnected from the network,
and the adapter's network configuration has been released. If the network
adapter was not disconnected, this may indicate that it has malfunctioned.
Please contact your vendor for updated drivers.

Record Number: 5015
Source Name: Tcpip
Time Written: 20081111105640.000000-480
Event Type: information
User:

Computer Name: KINHTRAN
Event Code: 8003
Message: The master browser has received a server announcement from the computer VICTOR
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D07E3CC4-0450-417E-8A.
The master browser is stopping or an election is being forced.

Record Number: 5014
Source Name: MRxSmb
Time Written: 20081110210125.000000-480
Event Type: error
User:

Computer Name: KINHTRAN
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\VICTOR on the network \Device\NetBT_Tcpip_{D07E3CC4-0450-417E-8A92-0BE23741EC28}.
The data is the error code.

Record Number: 5013
Source Name: BROWSER
Time Written: 20081110205720.000000-480
Event Type: warning
User:

Computer Name: KINHTRAN
Event Code: 7036
Message: The Windows Installer service entered the stopped state.

Record Number: 5012
Source Name: Service Control Manager
Time Written: 20081110201439.000000-480
Event Type: information
User:

Application event log

Computer Name: KINHTRAN
Event Code: 1001
Message: Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'InternationalSupportFiles_JPN' failed during request for component '{D4C8BFFA-BF6F-11D1-843A-0000F807F120}'

Record Number: 6802
Source Name: MsiInstaller
Time Written: 20081023090421.000000-420
Event Type: warning
User: KINHTRAN\Kinh Tran

Computer Name: KINHTRAN
Event Code: 11729
Message: Product: Microsoft Office Professional Edition 2003 -- Configuration failed.

Record Number: 6801
Source Name: MsiInstaller
Time Written: 20081023090249.000000-420
Event Type: information
User: KINHTRAN\Kinh Tran

Computer Name: KINHTRAN
Event Code: 11706
Message: Product: Microsoft Office Professional Edition 2003 -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see D:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM.

Record Number: 6800
Source Name: MsiInstaller
Time Written: 20081023090248.000000-420
Event Type: error
User: KINHTRAN\Kinh Tran

Computer Name: KINHTRAN
Event Code: 1001
Message: Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'InternationalSupportFiles_JPN' failed during request for component '{D4C8BFFA-BF6F-11D1-843A-0000F807F120}'

Record Number: 6799
Source Name: MsiInstaller
Time Written: 20081023090219.000000-420
Event Type: warning
User: KINHTRAN\Kinh Tran

Computer Name: KINHTRAN
Event Code: 11729
Message: Product: Microsoft Office Professional Edition 2003 -- Configuration failed.

Record Number: 6798
Source Name: MsiInstaller
Time Written: 20081023085801.000000-420
Event Type: information
User: KINHTRAN\Kinh Tran

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;D:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;D:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=D:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

katana · Dec 21, 2008

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8 << See below for updating Adobe
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Now close the Control Panel.

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

CeruleanSkyX · Dec 21, 2008

I downloaded Windows XP Professional SP2 but whenever I drag the icon above the Combofix, it asks me if I want to run the program. Should I run Combofix first before I drag the icon? Also, I'm not exactly sure if I already have Windows Recovery Console already installed.

katana · Dec 21, 2008

Drag the recovery console package on to combofix and click yes to any prompts.
If you already have the Recovery Console installed, Combofix will tell you.

CeruleanSkyX · Dec 21, 2008

Here's the log:

ComboFix 08-12-21.01 - Kinh Tran 2008-12-21 14:14:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.43 [GMT -8:00]
Running from: d:\documents and settings\Kinh Tran\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Kinh Tran\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\windows\Downloaded Program Files\setup.inf
d:\windows\system32\bafagogi.dll
d:\windows\system32\batufuke.dll
d:\windows\system32\biwifasi.dll
d:\windows\system32\cfhkj.ini
d:\windows\system32\cfhkj.ini2
d:\windows\system32\dayarado.dll
d:\windows\system32\Drivers\TDSSbhguudgo.sys
d:\windows\system32\fiwuwomi.dll
d:\windows\system32\fubuhara.dll
d:\windows\system32\gs73gfidgf.dll
d:\windows\system32\hofegope.dll
d:\windows\system32\icroso~1.net
d:\windows\system32\javibizo.dll
d:\windows\system32\jejavaso.dll
d:\windows\system32\jubawiro.dll
d:\windows\system32\lesorari.dll
d:\windows\system32\masayule.dll
d:\windows\system32\mbols~1
d:\windows\system32\nizuputa.dll
d:\windows\system32\nubagida.dll
d:\windows\system32\pepeyepu.dll
d:\windows\system32\petaziwe.dll
d:\windows\system32\pmnnoPge.dll
d:\windows\system32\potiwesi.dll
d:\windows\system32\prunnet.exe
d:\windows\system32\selohuno.dll
d:\windows\system32\silariwo.dll
d:\windows\system32\tahalopu.dll
d:\windows\system32\TDSSlhewivey.dat
d:\windows\system32\TDSSrkivlyvf.dll
d:\windows\system32\TDSSstgbvxct.dll
d:\windows\system32\TDSSwrtwrmqf.dll
d:\windows\system32\TDSSyeavvdqu.dll
d:\windows\system32\TDSSyngjmcqa.dll
d:\windows\system32\tomatofi.dll
d:\windows\system32\vasamazo.dll
d:\windows\system32\vefapapi.dll
d:\windows\system32\wbbfon(2).dll
d:\windows\system32\wewedaka.dll
d:\windows\system32\wunuzima.dll
d:\windows\system32\zebigimi.dll
d:\windows\system32\zesumozo.dll
d:\windows\Tasks\gumjhvap.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 11:31 . 2008-12-21 11:31 120 ---hs---- d:\windows\system32\esujufuh.ini
2008-12-20 14:01 . 2008-12-20 14:03 <DIR> d-------- D:\rsit
2008-12-20 13:55 . 2008-12-20 13:55 120 ---hs---- d:\windows\system32\okavoyup.ini
2008-12-19 22:52 . 2008-12-19 22:52 120 ---hs---- d:\windows\system32\ihaluvap.ini
2008-12-19 10:53 . 2008-12-19 10:53 120 ---hs---- d:\windows\system32\ulilagur.ini
2008-12-18 22:04 . 2008-12-18 22:04 120 ---hs---- d:\windows\system32\agisisit.ini
2008-12-18 10:04 . 2008-12-18 10:04 120 ---hs---- d:\windows\system32\ebelabik.ini
2008-12-14 21:25 . 2008-12-14 21:25 <DIR> d-------- d:\program files\Trend Micro
2008-12-14 19:40 . 2008-12-14 19:39 410,984 --a------ d:\windows\system32\deploytk.dll
2008-12-06 23:32 . 2008-12-17 23:01 443 --a------ d:\windows\wininit.ini
2008-12-06 20:46 . 2008-12-06 20:46 <DIR> d-------- d:\documents and settings\All Users\Application Data\Innovative Solutions
2008-12-06 20:45 . 2008-12-06 20:45 <DIR> d-------- d:\program files\Innovative Solutions
2008-12-06 20:45 . 2006-11-22 11:35 42,496 --a------ d:\windows\system32\AdvUninstCPL.cpl
2008-12-05 19:54 . 2008-12-05 19:54 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-12-05 19:40 . 2008-12-05 19:40 <DIR> d-------- d:\program files\CCleaner
2008-12-05 18:49 . 2008-12-14 20:03 <DIR> d-------- d:\program files\XoftSpySE
2008-12-05 18:24 . 2008-12-05 18:24 <DIR> d-------- d:\program files\PocketRAR
2008-12-05 18:23 . 2008-12-05 18:23 <DIR> d-------- d:\program files\Common Files\Stardock
2008-12-04 17:02 . 2008-12-04 17:02 <DIR> d-------- d:\documents and settings\Kinh Tran\Application Data\Uniblue
2008-12-03 20:45 . 2008-12-03 20:45 <DIR> d-------- d:\documents and settings\Kinh Tran\Application Data\AppleWorks
2008-11-28 18:30 . 2008-11-28 18:30 <DIR> d--h----- d:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 18:54 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-15 03:39 --------- d-----w d:\program files\Java
2008-12-07 07:31 --------- d-----w d:\program files\Enigma Software Group
2008-12-07 04:47 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-06 03:55 --------- d-----w d:\program files\Lavasoft
2008-12-06 03:51 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 02:48 --------- d-----w d:\documents and settings\All Users\Application Data\Viewpoint
2008-12-06 02:46 --------- d-----w d:\documents and settings\Kinh Tran\Application Data\uTorrent
2008-12-04 23:55 --------- d-----w d:\program files\Malwarebytes' Anti-Malware
2008-11-26 07:54 --------- d-----w d:\documents and settings\Kinh Tran\Application Data\U3
2008-10-24 15:04 --------- d-----w d:\program files\Transtar
2008-10-24 11:21 455,296 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:26 --------- d-----w d:\program files\WINPENJR
2008-10-23 15:25 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-23 15:25 --------- d-----w d:\documents and settings\All Users\Application Data\WINPENJR
2008-09-17 01:27 62,563 --sha-w d:\windows\system32\higihape.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Custom.exe"="d:\program files\WINPENJR\win32\Custom.EXE" [2007-02-01 77824]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"!AVG Anti-Spyware"="d:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-04-08 6731312]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"bejozuseto"="d:\windows\system32\higihape.dll" [2008-09-16 62563]
"784681f5"="d:\windows\system32\hufujuse.dll" [2008-12-21 83126]
"CPMf79c3322"="d:\windows\system32\sijiwebi.dll" [2008-12-21 97866]
"nwiz"="nwiz.exe" [2004-07-15 d:\windows\system32\nwiz.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
PenPower Email Touchpad.lnk - d:\program files\WINPENJR\win32\AcrEmChk.exe [2008-10-23 305152]
Smart Wizard Wireless Settings.lnk - d:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2005-09-03 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "d:\windows\system32\sijiwebi.dll" [2008-12-21 97866]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\sijiwebi.dll [2008-12-21 97866]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="d:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\system32\sijiwebi.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli d:\windows\system32\tomatofi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Starcraft\\StarCraft.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Common Files\\AOL\\1156894881\\ee\\aolsoftware.exe"=
"d:\\Program Files\\Common Files\\AOL\\1156894881\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Documents and Settings\\Kinh Tran\\Desktop\\utorrent.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\Windows CE Services\\DCCMAN .EXE"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"d:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe"=
"d:\\WINDOWS\\system32\\logonuiX.exe"=
"d:\\Program Files\\iTunes\\iTunesHelper.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP

xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP

xpsp2res.dll,-22016
"500:UDP"= 500:UDP

xpsp2res.dll,-22017

R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;d:\windows\system32\DRIVERS\wg121nd5.sys [2005-09-03 337216]
S3 SMALUSB;Digital Camera Driver;d:\windows\system32\DRIVERS\smalidt.sys [2005-05-02 9344]
S3 XDva202;XDva202;\??\d:\windows\system32\XDva202.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e59835d-4e20-11dc-9e5a-00095bd326f2}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48d9c57d-694a-11dc-9e5f-00095bd326f2}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-21 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{36ee258a-7001-4d6b-ae9a-3126e4523625} - d:\windows\system32\negonito.dll
BHO-{B9557C96-7F76-4644-AAE6-3A32F7EB4BAB} - (no file)
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
Notify-ddccccb - ddccccb.dll

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: &AIM Search - d:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Kinh Tran\Application Data\Mozilla\Firefox\Profiles\l8zqv4o9.default\
FF - plugin: d:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:23:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Windows Defender\MsMpEng.exe
d:\program files\Lavasoft\Ad-Aware\aawservice.exe
d:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\program files\Canon\CAL\CALMAIN.exe
d:\windows\system32\rundll32.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-12-21 14:34:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 22:34:14

Pre-Run: 4,825,714,688 bytes free
Post-Run: 4,736,008,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
C:\="MS-DOS"

244 --- E O F --- 2008-12-06 02:33:11

katana · Dec 21, 2008

Disable Teatimer
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
d:\windows\system32\esujufuh.ini
d:\windows\system32\okavoyup.ini
d:\windows\system32\ihaluvap.ini
d:\windows\system32\ulilagur.ini
d:\windows\system32\agisisit.ini
d:\windows\system32\ebelabik.ini
d:\windows\wininit.ini
d:\windows\system32\higihape.dll
d:\windows\system32\hufujuse.dll
d:\windows\system32\sijiwebi.dll
d:\windows\system32\tomatofi.dll

Folder::
Driver::
XDva202
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bejozuseto"=-
"784681f5"=-
"CPMf79c3322"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Documents and Settings\\Kinh Tran\\Desktop\\utorrent.exe"=-
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

How are things running now ?

CeruleanSkyX · Dec 23, 2008

I've already used the Kaspersky online scanner to scan my computer but I was having trouble actually saving the log. The IE browser didn't respond quite well. I'm assuming that you also need to take a look at that log. Is it alright if I just used the firefox browser instead?
Anyhow, it seems like the combo fix removed some of the virtumonde.prx but it doesn't look like it's completely gone. I'm still getting pop-ups and the spybot search and destroy is popping up that one box requesting about the changes in the registry key and I keep seeing "value added" then the entry is always "CPMf79c3322" or "bejozuseto". So I'm not quite sure.

CeruleanSkyX · Dec 23, 2008

Here's the log for the combo fix:

ComboFix 08-12-21.01 - Kinh Tran 2008-12-22 10:46:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.88 [GMT -8:00]
Running from: d:\documents and settings\Kinh Tran\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\agisisit.ini
d:\windows\system32\akxfgaeh.ini
d:\windows\system32\amsdcmdv.ini
d:\windows\system32\azenoyoy.ini
d:\windows\system32\brfukniq.ini
d:\windows\system32\clygpbhp.ini
d:\windows\system32\dfuatmri.ini
d:\windows\system32\dilxcttc.ini
d:\windows\system32\dirqaekv.ini
d:\windows\system32\dqpryupj.ini
d:\windows\system32\ebelabik.ini
d:\windows\system32\enfyrwsc.ini
d:\windows\system32\esujufuh.ini
d:\windows\system32\fqybgpgj.ini
d:\windows\system32\ifdjicpt.ini
d:\windows\system32\igavfgky.ini
d:\windows\system32\ihaluvap.ini
d:\windows\system32\jdbgqwuh.ini
d:\windows\system32\jusatjjg.ini
d:\windows\system32\keibrmkn.ini
d:\windows\system32\lfmeistr.ini
d:\windows\system32\liuoquoi.ini
d:\windows\system32\lnovbbqh.ini
d:\windows\system32\moylxqwq.ini
d:\windows\system32\mvuvofei.ini
d:\windows\system32\nlfqusol.ini
d:\windows\system32\nsdeshcu.ini
d:\windows\system32\okavoyup.ini
d:\windows\system32\ppausfhi.ini
d:\windows\system32\pwuxxiaq.ini
d:\windows\system32\rbnijqsq.ini
d:\windows\system32\reovuvqa.ini
d:\windows\system32\ricgtgru.ini
d:\windows\system32\sqomqhec.ini
d:\windows\system32\syfgnvpu.ini
d:\windows\system32\udnavqwb.ini
d:\windows\system32\uerjhdbh.ini
d:\windows\system32\ulilagur.ini
d:\windows\system32\vbixtnbn.ini
d:\windows\system32\wcmmlxih.ini
d:\windows\system32\wldashvb.ini
d:\windows\system32\xbhkbeft.ini
d:\windows\system32\yppvbyyj.ini
d:\windows\system32\ywmrgfji.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-22 10:45 . 2008-12-22 10:45 <DIR> d-------- d:\windows\LastGood.Tmp
2008-12-21 14:58 . 2008-12-21 14:58 <DIR> d-------- d:\program files\Foxit Software
2008-12-21 14:58 . 2008-12-21 18:10 <DIR> d-------- d:\program files\AskBarDis
2008-12-21 14:58 . 2008-12-21 14:58 <DIR> d-------- d:\documents and settings\Kinh Tran\Application Data\Foxit
2008-12-20 14:01 . 2008-12-20 14:03 <DIR> d-------- D:\rsit
2008-12-14 21:25 . 2008-12-14 21:25 <DIR> d-------- d:\program files\Trend Micro
2008-12-14 19:40 . 2008-12-14 19:39 410,984 --a------ d:\windows\system32\deploytk.dll
2008-12-06 23:32 . 2008-12-17 23:01 443 --a------ d:\windows\wininit.ini
2008-12-06 20:46 . 2008-12-06 20:46 <DIR> d-------- d:\documents and settings\All Users\Application Data\Innovative Solutions
2008-12-06 20:45 . 2008-12-06 20:45 <DIR> d-------- d:\program files\Innovative Solutions
2008-12-06 20:45 . 2006-11-22 11:35 42,496 --a------ d:\windows\system32\AdvUninstCPL.cpl
2008-12-05 19:54 . 2008-12-05 19:54 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-12-05 19:40 . 2008-12-05 19:40 <DIR> d-------- d:\program files\CCleaner
2008-12-05 18:49 . 2008-12-14 20:03 <DIR> d-------- d:\program files\XoftSpySE
2008-12-05 18:24 . 2008-12-05 18:24 <DIR> d-------- d:\program files\PocketRAR
2008-12-05 18:23 . 2008-12-05 18:23 <DIR> d-------- d:\program files\Common Files\Stardock
2008-12-04 17:02 . 2008-12-04 17:02 <DIR> d-------- d:\documents and settings\Kinh Tran\Application Data\Uniblue
2008-12-03 20:45 . 2008-12-03 20:45 <DIR> d-------- d:\documents and settings\Kinh Tran\Application Data\AppleWorks
2008-11-28 18:30 . 2008-11-28 18:30 <DIR> d--h----- d:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 18:19 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 22:51 --------- d-----w d:\program files\Java
2008-12-07 07:31 --------- d-----w d:\program files\Enigma Software Group
2008-12-07 04:47 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-06 03:55 --------- d-----w d:\program files\Lavasoft
2008-12-06 03:51 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 02:48 --------- d-----w d:\documents and settings\All Users\Application Data\Viewpoint
2008-12-06 02:46 --------- d-----w d:\documents and settings\Kinh Tran\Application Data\uTorrent
2008-12-04 23:55 --------- d-----w d:\program files\Malwarebytes' Anti-Malware
2008-11-26 07:54 --------- d-----w d:\documents and settings\Kinh Tran\Application Data\U3
2008-10-24 15:04 --------- d-----w d:\program files\Transtar
2008-10-24 11:21 455,296 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:26 --------- d-----w d:\program files\WINPENJR
2008-10-23 15:25 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-23 15:25 --------- d-----w d:\documents and settings\All Users\Application Data\WINPENJR
2008-09-17 01:27 62,563 --sha-w d:\windows\system32\higihape.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-21_14.33.04.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 07:30:58 95,889 --sha-w d:\windows\system32\tefiwizu.dll
+ 2008-12-22 07:30:59 83,164 --sha-w d:\windows\system32\yoyoneza.dll
+ 2008-12-22 18:55:13 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_24c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36ee258a-7001-4d6b-ae9a-3126e4523625}]
d:\windows\system32\negonito.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Custom.exe"="d:\program files\WINPENJR\win32\Custom.EXE" [2007-02-01 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"!AVG Anti-Spyware"="d:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-04-08 6731312]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"bejozuseto"="d:\windows\system32\higihape.dll" [2008-09-16 62563]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"CPMf79c3322"="d:\windows\system32\tefiwizu.dll" [2008-12-21 95889]
"nwiz"="nwiz.exe" [2004-07-15 d:\windows\system32\nwiz.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
PenPower Email Touchpad.lnk - d:\program files\WINPENJR\win32\AcrEmChk.exe [2008-10-23 305152]
Smart Wizard Wireless Settings.lnk - d:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2005-09-03 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "d:\windows\system32\tefiwizu.dll" [2008-12-21 95889]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\tefiwizu.dll [2008-12-21 95889]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="d:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli d:\windows\system32\tomatofi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Starcraft\\StarCraft.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Common Files\\AOL\\1156894881\\ee\\aolsoftware.exe"=
"d:\\Program Files\\Common Files\\AOL\\1156894881\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Documents and Settings\\Kinh Tran\\Desktop\\utorrent.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\Windows CE Services\\DCCMAN .EXE"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"d:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe"=
"d:\\WINDOWS\\system32\\logonuiX.exe"=
"d:\\Program Files\\iTunes\\iTunesHelper.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP

xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP

xpsp2res.dll,-22016
"500:UDP"= 500:UDP

xpsp2res.dll,-22017

R3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;d:\windows\system32\DRIVERS\wg121nd5.sys [2005-09-03 337216]
S3 SMALUSB;Digital Camera Driver;d:\windows\system32\DRIVERS\smalidt.sys [2005-05-02 9344]
S3 XDva202;XDva202;\??\d:\windows\system32\XDva202.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e59835d-4e20-11dc-9e5a-00095bd326f2}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48d9c57d-694a-11dc-9e5f-00095bd326f2}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-784681f5 - d:\windows\system32\hufujuse.dll

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: &AIM Search - d:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Kinh Tran\Application Data\Mozilla\Firefox\Profiles\l8zqv4o9.default\
FF - plugin: d:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
pref(dom.disable_open_during_load, true);.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 10:54:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Windows Defender\MsMpEng.exe
d:\program files\Lavasoft\Ad-Aware\aawservice.exe
d:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\program files\Canon\CAL\CALMAIN.exe
d:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-22 11:04:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 19:04:01
ComboFix2.txt 2008-12-21 22:34:28

Pre-Run: 5,059,837,952 bytes free
Post-Run: 4,961,120,256 bytes free

223 --- E O F --- 2008-12-06 02:33:11

katana · Dec 23, 2008

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
d:\windows\wininit.ini
d:\windows\system32\higihape.dll
d:\windows\system32\tefiwizu.dll
d:\windows\system32\yoyoneza.dll
d:\windows\system32\negonito.dll
Folder::
d:\documents and settings\Kinh Tran\Application Data\uTorrent
Driver::
XDva202
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36ee258a-7001-4d6b-ae9a-3126e4523625}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bejozuseto"=-
"SunJavaUpdateSched"=-
"CPMf79c3322"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Documents and Settings\\Kinh Tran\\Desktop\\utorrent.exe"=-
"d:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=-
"d:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=-
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you can run Kaspersky in Firefox, that is fine.
We recommend IE because some people have trouble with Firefox.

CeruleanSkyX · Dec 23, 2008

The virtumonde.prx doesn't look like it's infecting my computer anymore. Hooray!! I found the main source and deleted them with the Hijack list and scanned my computer multiple times with spybot. Apparently it was these BHO's that were the main problem. :red: But I appreciate your assistance and patience. Thank you very much for taking the time to help me out!! And Spybot search and destroy is a miracle program. haha. ;D
Btw, will this thread be deleted or archived?

katana · Dec 23, 2008

Entirely your choice, but there is a lot more than just a couple of BHO's that are the problem.

If you wish to continue please follow the instructions above

CeruleanSkyX · Dec 25, 2008

I think I'll stop for now. As longs as my computer is functioning well and doesn't have those popups I think it's okay. But still, thank you for your assistance and time.

Virtumonde.prx...D:

CeruleanSkyX

New member

katana

Security Expert-Emeritus

CeruleanSkyX

New member

CeruleanSkyX

New member

katana

Security Expert-Emeritus

CeruleanSkyX

New member

katana

Security Expert-Emeritus

CeruleanSkyX

New member

katana

Security Expert-Emeritus

CeruleanSkyX

New member

CeruleanSkyX

New member

katana

Security Expert-Emeritus

CeruleanSkyX

New member

katana

Security Expert-Emeritus

CeruleanSkyX

New member