Virtumonde Removal Needed - JF

[jfelske]

Any help would be appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:41 PM, on 2009-01-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {7134c1d4-a9b5-8f69-d7d4-b059c998d730} - {037d899c-950b-4d7d-96f8-5b9a4d1c4317} - C:\WINDOWS\system32\kqmhuf.dll
O2 - BHO: (no name) - {7fec229a-2708-4852-9740-263b9b3eadee} - C:\WINDOWS\system32\demazabu.dll
O2 - BHO: (no name) - {853bfe18-0547-421d-a03b-6a51362e75eb} - C:\WINDOWS\system32\jegulufo.dll
O2 - BHO: (no name) - {a05e4245-b426-4564-9c11-93c1e80eb34a} - C:\WINDOWS\system32\demazabu.dll
O2 - BHO: (no name) - {fced0176-4c2d-4601-82a0-fe889444e8df} - C:\WINDOWS\system32\demazabu.dll
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] D:\DSL\programs\dslpca.exe /ws
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mulumobu.dll",s
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\razifazi.dll",a
O4 - HKLM\..\RunOnce: [SpybotDeletingA2290] command /c del "c:\windows\system32\razifazi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC957] cmd /c del "c:\windows\system32\razifazi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7300] command /c del "C:\WINDOWS\system32\mulumobu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4027] cmd /c del "C:\WINDOWS\system32\mulumobu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9273] command /c del "C:\WINDOWS\system32\rurisugo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5067] cmd /c del "C:\WINDOWS\system32\rurisugo.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB92] command /c del "c:\windows\system32\razifazi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5130] cmd /c del "c:\windows\system32\razifazi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB151] command /c del "C:\WINDOWS\system32\mulumobu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD517] cmd /c del "C:\WINDOWS\system32\mulumobu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8726] command /c del "C:\WINDOWS\system32\rurisugo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9697] cmd /c del "C:\WINDOWS\system32\rurisugo.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mulumobu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mulumobu.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/44.10/uploader2.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\demazabu.dll C:\WINDOWS\system32\sihosido.dll kqmhuf.dll c:\windows\system32\razifazi.dll,C:\WINDOWS\system32\pusukupu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\razifazi.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\razifazi.dll (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

--
End of file - 6118 bytes

 

[peku006]

Hello and welcome to Safer Networking.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.

If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.

avast! 4 Home Edition
AntiVir Free Edition

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - ComboFix & HJT Logs

Thank you very much for helping me out. Please let me know how to proceed next.

*************
COMBOFIX LOG
*************
ComboFix 09-01-21.04 - Bob 2009-01-26 18:57:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT -8:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\twunk_32.exe
c:\windows\system32\bijatubu.dll
c:\windows\system32\bimikebe.dll
c:\windows\system32\bvgkce.dll
c:\windows\system32\demazabu.dll
c:\windows\system32\fozihiha.dll
c:\windows\system32\funepana.dll.tmp
c:\windows\system32\getovojo.dll
c:\windows\system32\gohepayo.dll
c:\windows\system32\izrmwd.dll
c:\windows\system32\jegulufo.dll.tmp
c:\windows\system32\jiyapupe.dll
c:\windows\system32\jonusosi.dll
c:\windows\system32\kqmhuf.dll
c:\windows\system32\lumafeta.dll
c:\windows\system32\ogusirur.ini
c:\windows\system32\oyapehog.ini
c:\windows\system32\pipotora.dll
c:\windows\system32\pusukupu.dll
c:\windows\system32\rihepata.dll
c:\windows\system32\sidubage.dll.tmp
c:\windows\system32\sihosido.dll.tmp
c:\windows\system32\simufiyu.dll
c:\windows\system32\tohupari.dll.tmp
c:\windows\system32\tojewote.dll
c:\windows\system32\ubutajib.ini
c:\windows\system32\unabulag.ini
c:\windows\system32\urizukik.ini
c:\windows\system32\usafodus.ini
c:\windows\system32\vuberija.dll
c:\windows\system32\woyobopo.dll
c:\windows\system32\yemuhiya.dll
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-26 19:04 . 2009-01-26 19:05 <DIR> d-------- c:\windows\LastGood
2009-01-26 19:04 . 2008-10-16 14:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-01-26 19:04 . 2008-10-16 14:06 208,744 --a------ c:\windows\SYSTEM32\muweb.dll
2009-01-26 19:04 . 2008-10-16 14:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-01-26 18:33 . 2009-01-26 18:33 504,832 --a------ C:\How to use ComboFix.doc
2009-01-26 18:22 . 2009-01-26 18:22 2,126 --a------ c:\windows\SYSTEM32\wpa.dbl
2009-01-26 16:43 . 2009-01-26 16:43 <DIR> d-------- c:\program files\Avira
2009-01-26 16:43 . 2009-01-26 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-25 17:00 . 2009-01-25 17:00 133,364 --ahs---- C:\ARK5C.tmp
2009-01-25 05:00 . 2009-01-25 05:00 133,315 --ahs---- C:\ARK5B.tmp
2009-01-24 15:11 . 2009-01-24 15:11 <DIR> d-------- c:\program files\ERUNT
2009-01-24 13:54 . 2009-01-26 18:59 6,456 --ah----- c:\windows\SYSTEM32\fujisafo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 22:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-05 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\RetroExp
2008-12-26 21:23 --------- d-----w c:\program files\Maxtor
2008-12-26 18:51 --------- d-----w c:\program files\Retrospect
2008-12-26 18:47 33,767,936 ----a-w C:\Express_HD_EN_1_1_127.exe
2008-12-23 02:59 --------- d-----w c:\program files\CCleaner
2008-12-23 01:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-21 04:30 --------- d-----w c:\program files\Windows Live
2008-12-21 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-21 04:23 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-08 02:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-08 01:30 --------- d-----w c:\program files\Trend Micro
2008-12-07 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-07 22:23 --------- d-----w c:\program files\Common Files\PC Tools
2008-12-07 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 05:03 --------- d-----w c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2008-12-05 05:02 --------- d-----w c:\documents and settings\Bob\Application Data\Lavasoft
2008-12-03 04:32 --------- d-----w c:\program files\Java
2008-12-03 02:04 --------- d-----w c:\program files\Yahoo!
2008-12-02 03:47 --------- d-----w c:\documents and settings\Bob\Application Data\Yahoo!
2008-11-28 15:28 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 15:28 --------- d-----w c:\documents and settings\Bob\Application Data\AdobeUM
2008-10-28 12:36 591,296 ----a-w C:\WebmailPlugin.dll
2007-12-24 16:35 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-11-21 07:44 408,229 --sh--w c:\windows\MSAGENT\ksidnur.bak1
2005-11-26 18:44 425,954 --sh--w c:\windows\MSAGENT\ksidnur.bak2
2005-11-26 20:20 541,290 --sh--w c:\windows\MSAGENT\ksidnur.ini2
2008-09-27 02:27 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Linksys\\LogViewer\\LogViewer.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=

R3 MovRVDrv32;MovRVDrv32;c:\windows\SYSTEM32\DRIVERS\MovRVDrv32.sys [2008-01-26 3768]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\SYSTEM32\DRIVERS\ASPI32.SYS [2007-12-27 16512]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\SYSTEM32\DRIVERS\DrmCDriverV32.sys [2007-12-27 515200]
S3 DrmCVideo32;DrmCVideo32;c:\windows\SYSTEM32\DRIVERS\DrmCVideo32.sys [2007-12-27 3768]
S4 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [2008-01-26 184320]
.
Contents of the 'Scheduled Tasks' folder

2008-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2004-01-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7fec229a-2708-4852-9740-263b9b3eadee} - c:\windows\system32\demazabu.dll
BHO-{853bfe18-0547-421d-a03b-6a51362e75eb} - c:\windows\system32\yemuhiya.dll
BHO-{a05e4245-b426-4564-9c11-93c1e80eb34a} - c:\windows\system32\demazabu.dll
BHO-{b5967a0a-cd03-48bb-8a8b-c1bb9f7235e9} - c:\windows\system32\bvgkce.dll
BHO-{fced0176-4c2d-4601-82a0-fe889444e8df} - c:\windows\system32\demazabu.dll
HKLM-Run-AT&T DSL Service PCA Program - d:\dsl\programs\dslpca.exe
MSConfigStartUp-CPM378586b8 - c:\windows\system32\hohunowi.dll
MSConfigStartUp-hedohiruda - c:\windows\system32\yogaguse.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 19:02:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\RETROS~1\RETROS~1.1\retrorun.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-26 19:13:15 - machine was rebooted [Bob]
ComboFix-quarantined-files.txt 2009-01-27 03:13:05

Pre-Run: 36,653,985,792 bytes free
Post-Run: 36,656,668,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

188 --- E O F --- 2009-01-27 03:04:28
*************

*************
HIJACK THIS LOG
*************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:18, on 2009-01-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/44.10/uploader2.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

--
End of file - 4365 bytes
*************

Thanks again!

 

[peku006]

Hi jfelske

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\ARK5C.tmp
C:\ARK5B.tmp
c:\windows\SYSTEM32\fujisafo

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform full scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found here:
  
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 2

OK, here goes...

*************
COMBOFIX LOG
*************
ComboFix 09-01-21.04 - Bob 2009-01-27 17:30:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.256 [GMT -8:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\ARK5B.tmp
C:\ARK5C.tmp
c:\windows\SYSTEM32\fujisafo
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ARK5B.tmp
C:\ARK5C.tmp
c:\windows\SYSTEM32\fujisafo

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 19:04 . 2008-10-16 14:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-01-26 19:04 . 2008-10-16 14:06 208,744 --a------ c:\windows\SYSTEM32\muweb.dll
2009-01-26 19:04 . 2008-10-16 14:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-01-26 18:33 . 2009-01-26 18:33 504,832 --a------ C:\How to use ComboFix.doc
2009-01-26 18:22 . 2009-01-27 03:12 2,148 --a------ c:\windows\SYSTEM32\wpa.dbl
2009-01-26 16:43 . 2009-01-26 16:43 <DIR> d-------- c:\program files\Avira
2009-01-26 16:43 . 2009-01-26 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-24 15:11 . 2009-01-24 15:11 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 22:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-05 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\RetroExp
2008-12-26 21:23 --------- d-----w c:\program files\Maxtor
2008-12-26 18:51 --------- d-----w c:\program files\Retrospect
2008-12-26 18:47 33,767,936 ----a-w C:\Express_HD_EN_1_1_127.exe
2008-12-23 02:59 --------- d-----w c:\program files\CCleaner
2008-12-23 01:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-21 04:30 --------- d-----w c:\program files\Windows Live
2008-12-21 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-21 04:23 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-08 02:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-08 01:30 --------- d-----w c:\program files\Trend Micro
2008-12-07 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-07 22:23 --------- d-----w c:\program files\Common Files\PC Tools
2008-12-07 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 20:28 578,560 ----a-w c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-05 05:03 --------- d-----w c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2008-12-05 05:02 --------- d-----w c:\documents and settings\Bob\Application Data\Lavasoft
2008-12-03 04:32 --------- d-----w c:\program files\Java
2008-12-03 02:04 --------- d-----w c:\program files\Yahoo!
2008-12-02 03:47 --------- d-----w c:\documents and settings\Bob\Application Data\Yahoo!
2008-11-28 15:28 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 15:28 --------- d-----w c:\documents and settings\Bob\Application Data\AdobeUM
2008-10-28 12:36 591,296 ----a-w C:\WebmailPlugin.dll
2007-12-24 16:35 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-11-21 07:44 408,229 --sh--w c:\windows\MSAGENT\ksidnur.bak1
2005-11-26 18:44 425,954 --sh--w c:\windows\MSAGENT\ksidnur.bak2
2005-11-26 20:20 541,290 --sh--w c:\windows\MSAGENT\ksidnur.ini2
2008-09-27 02:27 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-26_19.11.47.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 00:11:54 285,184 ------w c:\windows\SYSTEM32\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
- 2006-12-07 05:29:34 2,374,472 ------w c:\windows\SYSTEM32\wmvcore.dll
+ 2008-06-10 15:07:24 2,376,760 ------w c:\windows\SYSTEM32\WMVCore.dll
+ 2009-01-27 11:10:27 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_1a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Linksys\\LogViewer\\LogViewer.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=

R3 MovRVDrv32;MovRVDrv32;c:\windows\SYSTEM32\DRIVERS\MovRVDrv32.sys [2008-01-26 3768]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\SYSTEM32\DRIVERS\ASPI32.SYS [2007-12-27 16512]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\SYSTEM32\DRIVERS\DrmCDriverV32.sys [2007-12-27 515200]
S3 DrmCVideo32;DrmCVideo32;c:\windows\SYSTEM32\DRIVERS\DrmCVideo32.sys [2007-12-27 3768]
S4 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [2008-01-26 184320]
.
Contents of the 'Scheduled Tasks' folder

2008-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2004-01-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 17:33:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-01-27 17:39:23
ComboFix-quarantined-files.txt 2009-01-28 01:38:06
ComboFix2.txt 2009-01-27 03:13:16

Pre-Run: 36,545,142,784 bytes free
Post-Run: 36,546,228,224 bytes free

137 --- E O F --- 2009-01-27 11:03:54
*************

*************
MALWAREBYTES' ANTI-MALWARE LOG
*************
Malwarebytes' Anti-Malware 1.33
Database version: 1701
Windows 5.1.2600 Service Pack 3

2009-01-28 06:01:47
mbam-log-2009-01-28 (06-01-47).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 159031
Time elapsed: 3 hour(s), 50 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081222-173227-206.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081222-173418-194.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081222-175508-927.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081222-175552-806.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081222-183315-923.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
*************

*************
HIJACKTHIS LOG
*************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:03, on 2009-01-28
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/44.10/uploader2.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

--
End of file - 4520 bytes
*************

 

[peku006]

Hi jfelske

Looking good
Let's make sure we got everything

1 - Clean temp files

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

2 - F-Secure Online Scan

1. Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
2. You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
3. Click on Accept to accept the License Agreement.
4. Click on Custom Scan.
   • Under Virus Scan Options, select the Scan whole system option.
   • Under Other Scan Options, select these options:
     • Scan all files
     • Scan whole system for rootkits
     • Scan whole system for spyware
     • Scan inside archives
     • Use advanced heuristics
5. Click Start.
6. It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
7. Click on I want decide item by item.
8. Under Actions, select None for all infections found.
9. Click Next.
10. Click on Show Report.
11. Please copy and paste this report in your next reply.
12. Click Finish.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the F-Secure online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 3

Computer is actually running quite slowly -- I got the "Computer is running low on Virtual Memory" error. Are there steps I can take to free up some memory? But the popups associated with Virtumonde are gone (thanks!) and everything else seems to be in order!

*************
F-SECURE ONLINE SCANNER REPORT
*************
Scanning Report
Thursday, January 29, 2009 06:27:50 - 19:09:01
Computer name: LINUS
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ G:\


------------------------------------------------------------

Result: 15 malware found
REG/Small.A (virus)
C:\MGtools\hide.reg
TrackingCookie.2o7 (spyware)
System
Trojan.Win32.Agent (virus)
System
Trojan.Win32.Agent.bktc (virus)
C:\ARK5E.tmp
C:\ARK60.tmp
C:\ARK61.tmp
C:\Qoobox\Quarantine\C\ARK5B.tmp.vir
C:\Qoobox\Quarantine\C\ARK5C.tmp.vir
Vundo.FBW (virus)
C:\WINDOWS\MSAGENT\ksidnur.tmp
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ogusirur.ini.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\oyapehog.ini.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ubutajib.ini.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\unabulag.ini.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\urizukik.ini.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\usafodus.ini.vir

--------------------------------------------------------------

Statistics
Scanned:
Files: 269153
System: 3588
Not scanned: 68
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 15
Submitted: 0
Files not scanned:
W?

---------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 2.8.8110, 2009-01-29
F-Secure AVP: 7.0.171, 2009-01-29
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

---------------------------------------------------------------
*************

*************
HIJACK THIS LOG
*************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14, on 2009-01-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\Bob\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Bob\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/44.10/uploader2.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

--
End of file - 4866 bytes

*************

Sorry for the delay in replying this time. Look forward to hearing back!

 

[peku006]

Hi jfelske

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

post back if it helped.

Please download OTScanIt2 from Geeks to Go or Bleeping Computer. Save it to your desktop.

1. Double click on OTScanIt2.exe to run it.
2. Click on Extract. Once done, you will be prompted. Click OK and click Close.
3. Double click on the OTScanIt2 folder. Double click on OTScanIt2.exe to run it.
4. Under Rookit Search, select Yes.
5. Click on Run Scan at the top left hand corner.
6. When done, Notepad will open. Please post this log in your next reply.

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 5

I downloaded and ran OTScanIt2.exe. A few seconds into the scan, I received the following error message:

'1/1/2099 12 is not a valid date and time.'

The header for the error window said "Otscanit2".
The icon in the error window was a red circle with a white 'X' through it.
The only clickable option button within the error window was "OK".

The error occurred at the step where the status bar at the bottom of the OTScanIt2 window said:
"Looking for newly created files: C:\ARK5D.tmp..."

I've noticed that 'ARK5D.tmp' and other similar files have come up in some previous scans, and Avira identifies them when it does scans. The set of similar files includes:
-- C:\ARK5D.tmp
-- C:\ARK5E.tmp
-- C:\ARK5F.tmp
-- C:\ARK60.tmp
-- C:\ARK61.tmp
-- C:\ARK62.tmp
Should I be trying to get rid of these files?

 

[peku006]

Hi

Should I be trying to get rid of these files?

not yet....

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\MSAGENT\ksidnur.bak1
c:\windows\MSAGENT\ksidnur.bak2
c:\windows\MSAGENT\ksidnur.ini2

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please reply with

the ComboFix log(C:\ComboFix.txt)

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 6

Here it is!

ComboFix 09-01-31.03 - Bob 2009-02-01 8:08:53.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.286 [GMT -8:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\MSAGENT\ksidnur.bak1
c:\windows\MSAGENT\ksidnur.bak2
c:\windows\MSAGENT\ksidnur.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\MSAGENT\ksidnur.bak1
c:\windows\MSAGENT\ksidnur.bak2
c:\windows\MSAGENT\ksidnur.ini2

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-28 17:24 . 2009-01-28 17:24 <DIR> d-------- C:\fsaua.data
2009-01-27 17:54 . 2009-01-28 17:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 17:54 . 2009-01-27 17:54 <DIR> d-------- c:\documents and settings\Bob\Application Data\Malwarebytes
2009-01-27 17:54 . 2009-01-27 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 17:54 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-27 17:54 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-26 19:04 . 2008-10-16 14:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-01-26 19:04 . 2008-10-16 14:06 208,744 --a------ c:\windows\SYSTEM32\muweb.dll
2009-01-26 19:04 . 2008-10-16 14:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-01-26 18:33 . 2009-01-26 18:33 504,832 --a------ C:\How to use ComboFix.doc
2009-01-26 18:22 . 2009-01-27 17:51 2,148 --a------ c:\windows\SYSTEM32\wpa.dbl
2009-01-26 16:43 . 2009-01-28 17:22 <DIR> d-------- c:\program files\Avira
2009-01-26 16:43 . 2009-01-26 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-24 15:11 . 2009-01-28 17:22 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 22:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-05 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\RetroExp
2008-12-26 21:23 --------- d-----w c:\program files\Maxtor
2008-12-26 18:51 --------- d-----w c:\program files\Retrospect
2008-12-26 18:47 33,767,936 ----a-w C:\Express_HD_EN_1_1_127.exe
2008-12-23 02:59 --------- d-----w c:\program files\CCleaner
2008-12-23 01:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-21 04:30 --------- d-----w c:\program files\Windows Live
2008-12-21 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-21 04:23 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-08 02:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-08 01:30 --------- d-----w c:\program files\Trend Micro
2008-12-07 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-07 22:23 --------- d-----w c:\program files\Common Files\PC Tools
2008-12-07 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 20:28 578,560 ----a-w c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-05 05:03 --------- d-----w c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2008-12-05 05:02 --------- d-----w c:\documents and settings\Bob\Application Data\Lavasoft
2008-12-03 04:32 --------- d-----w c:\program files\Java
2008-12-03 02:04 --------- d-----w c:\program files\Yahoo!
2008-12-02 03:47 --------- d-----w c:\documents and settings\Bob\Application Data\Yahoo!
2007-12-24 16:35 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-27 02:27 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-26_19.11.47.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-08 22:38:44 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-01-11 22:45:50 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll
+ 2008-01-25 23:19:20 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll
+ 2008-01-25 23:11:06 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe
- 2005-10-21 04:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 16:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 16:00:00 286,720 ----a-w c:\windows\SWREG.exe
- 2008-04-14 00:11:54 285,184 ------w c:\windows\SYSTEM32\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
- 2006-12-07 05:29:34 2,374,472 ------w c:\windows\SYSTEM32\wmvcore.dll
+ 2008-06-10 15:07:24 2,376,760 ------w c:\windows\SYSTEM32\WMVCore.dll
+ 2009-01-28 01:49:15 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_1a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Linksys\\LogViewer\\LogViewer.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=

R3 MovRVDrv32;MovRVDrv32;c:\windows\SYSTEM32\DRIVERS\MovRVDrv32.sys [2008-01-26 3768]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\SYSTEM32\DRIVERS\ASPI32.SYS [2007-12-27 16512]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\SYSTEM32\DRIVERS\DrmCDriverV32.sys [2007-12-27 515200]
S3 DrmCVideo32;DrmCVideo32;c:\windows\SYSTEM32\DRIVERS\DrmCVideo32.sys [2007-12-27 3768]
S4 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [2008-01-26 184320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - F-SECURE_STANDALONE_MINIFILTER
*NewlyCreated* - FSBL
*NewlyCreated* - IPOD_SERVICE
*Deregistered* - F-Secure Standalone Minifilter
*Deregistered* - fsbl
.
Contents of the 'Scheduled Tasks' folder

2008-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2004-01-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 08:14:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-01 8:19:50
ComboFix-quarantined-files.txt 2009-02-01 16:19:12
ComboFix2.txt 2009-01-28 01:39:24
ComboFix3.txt 2009-01-27 03:13:16

Pre-Run: 35,495,395,328 bytes free
Post-Run: 35,763,224,576 bytes free

154 --- E O F --- 2009-01-27 11:03:54

 

[peku006]

Hi jfelske

uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

1. Double click on OTScanIt2.exe to run it.
2. Click on Extract. Once done, you will be prompted. Click OK and click Close.
3. Double click on the OTScanIt2 folder. Double click on OTScanIt2.exe to run it.
4. Under Rookit Search, select Yes.
5. Click on Run Scan at the top left hand corner.
6. When done, Notepad will open. Please post this log in your next reply.

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 7

Same thing happened as the last time I ran OTScanIt2: a few seconds into the scan, I received the following error message:

'1/1/2099 12 is not a valid date and time.'

The header for the error window said "Otscanit2".
The icon in the error window was a red circle with a white 'X' through it.
The only clickable option button within the error window was "OK".

The error occurred at the step where the status bar at the bottom of the OTScanIt2 window said:
"Looking for newly created files: C:\ARK5D.tmp..."

 

[peku006]

Hi jfelske

Let´s try this.....

1. Please download OTViewIt by OldTimer and save it to your Desktop.
2. Close all applications and windows.
3. Double-click on the OTViewIt.exeto start OTViewIt.
4. Place a checkmark in the blue-colored "Scan All Users" checkbox.
5. Click the blue Run Scan button.
6. OTViewIt will now start its scan.
7. When the scan is complete, two text files will be created, OTViewIt.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop.
8. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTViewIt.Txt and the Extras.txt to your post.

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 8

The same thing happened as when I ran OTScanIt2: a few seconds into the scan, I received the following error message:

'1/1/2099 12 is not a valid date and time.'

The header for the error window said "Otviewit".
The icon in the error window was a red circle with a white 'X' through it.
The only clickable option button within the error window was "OK".

The error occurred at the step where the status bar at the bottom of the OTViewIt window said:
"Looking for newly created files: C:\ARK5D.tmp..."

Weird...:scratch:

 

[peku006]

Hi jfelske

The same thing happened as when I ran OTScanIt2: a few seconds into the scan, I received the following error message:

'1/1/2099 12 is not a valid date and time.'

again , it can not be true.......we'll try a different tool

1 - download and run RSIT

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

2 - Status Check
Please reply with

the logs from RSIT (log.txt ,info.txt)

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 8.1

Yay! It worked! Files are too long to be posted together, so...
**********
log.txt generated by RSIT.exe
**********
Logfile of random's system information tool 1.05 (written by random/random)
Run by Bob at 2009-02-02 15:09:18
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 34 GB (45%) free of 76 GB
Total RAM: 510 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09, on 2009-02-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Bob\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Bob.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/44.10/uploader2.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

--
End of file - 4777 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 1.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"=C:\WINDOWS\System32\DSentry.exe [2003-08-13 28672]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2003-08-05 114741]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-02 136600]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\Linksys\LogViewer\LogViewer.exe"="C:\Program Files\Linksys\LogViewer\LogViewer.exe:*isabled:LogViewer"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*isabledxpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*isabled:Windows Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\WINDOWS\SYSTEM32\taskmgr.exe"="C:\WINDOWS\SYSTEM32\taskmgr.exe:*:Enabled:taskmgr"
"C:\Program Files\CCleaner\CCleaner.exe"="C:\Program Files\CCleaner\CCleaner.exe:*:Enabled:CCleaner"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

65535-65535-31889 379:31889:443 ----ASH---- C:\ARK62.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\ARK61.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\ARK60.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\ARK5E.tmp
65535-65535-31889 379:31889:443 ----AH---- C:\ARK5D.tmp
65535-65535-31889 379:31889:443 ----A---- C:\ARK5F.tmp
2009-02-02 15:09:18 ----D---- C:\rsit
2009-02-01 11:25:25 ----SHD---- C:\RECYCLER
2009-02-01 11:24:52 ----D---- C:\ComboFix
2009-02-01 08:19:51 ----A---- C:\ComboFix.txt
2009-01-28 17:24:55 ----D---- C:\fsaua.data
2009-01-27 17:54:29 ----D---- C:\Documents and Settings\Bob\Application Data\Malwarebytes
2009-01-27 17:54:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-27 17:54:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-27 03:03:42 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-27 03:00:28 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-26 19:04:36 ----A---- C:\WINDOWS\system32\muweb.dll
2009-01-26 19:04:36 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-01-26 19:04:36 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-01-26 18:47:55 ----A---- C:\Boot.bak
2009-01-26 18:47:45 ----RASHD---- C:\cmdcons
2009-01-26 16:44:25 ----A---- C:\~ New Text Document.txt
2009-01-26 16:43:34 ----D---- C:\Program Files\Avira
2009-01-26 16:43:34 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-01-24 15:11:44 ----D---- C:\Program Files\ERUNT

======List of files/folders modified in the last 1 months======

2009-02-01 16:45:29 ----D---- C:\WINDOWS\TEMP
2009-02-01 12:46:22 ----SHD---- C:\WINDOWS\Installer
2009-02-01 11:25:03 ----SHD---- C:\System Volume Information
2009-02-01 11:25:03 ----D---- C:\WINDOWS
2009-02-01 11:24:58 ----D---- C:\WINDOWS\SYSTEM32
2009-02-01 11:24:54 ----D---- C:\WINDOWS\erdnt
2009-02-01 08:15:52 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-01 08:14:55 ----A---- C:\WINDOWS\system.ini
2009-02-01 08:11:22 ----D---- C:\WINDOWS\system32\DRIVERS
2009-02-01 08:11:20 ----D---- C:\WINDOWS\AppPatch
2009-02-01 08:11:20 ----D---- C:\Program Files\Common Files
2009-02-01 08:09:26 ----D---- C:\WINDOWS\MSAGENT
2009-01-29 19:21:39 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-27 17:54:22 ----RD---- C:\Program Files
2009-01-27 03:04:43 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-27 03:03:54 ----HD---- C:\WINDOWS\INF
2009-01-27 03:03:45 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-01-27 03:03:41 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-27 03:00:29 ----D---- C:\WINDOWS\Debug
2009-01-26 19:00:03 ----D---- C:\WINDOWS\system32\CONFIG
2009-01-26 18:47:55 ----RASH---- C:\BOOT.INI
2009-01-26 18:45:34 ----D---- C:\WINDOWS\system32\Restore
2009-01-24 15:08:54 ----D---- C:\WINDOWS\system32\NtmsData
2009-01-24 15:08:40 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 14:56:16 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-01-24 14:35:27 ----AC---- C:\WINDOWS\wininit.ini
2009-01-05 14:00:51 ----D---- C:\Documents and Settings\All Users\Application Data\RetroExp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2002-07-17 16512]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-10-18 2432]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-10-18 2560]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2001-09-04 233344]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 pwd_2K;pwd_2K; C:\WINDOWS\system32\drivers\pwd_2K.sys [2001-09-04 78454]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2003-07-14 5621]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2003-07-14 23219]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2001-09-10 205824]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-06-30 20747]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2003-06-20 40448]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2004-04-13 15781]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2003-08-05 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2003-08-05 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2003-08-05 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2003-08-05 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2003-08-05 83284]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2003-08-05 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2003-08-05 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2003-08-05 98068]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2003-08-05 100373]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2001-09-04 19702]
R3 MovRVDrv32;MovRVDrv32; C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-12-28 3768]
R3 MXOFX;USB Storage Adapter FX (MXO); C:\WINDOWS\system32\DRIVERS\MXOFX.SYS [2003-10-10 32640]
R3 MXOPSWD;Maxtor OneTouch Security Driver; C:\WINDOWS\system32\DRIVERS\mxopswd.sys [2004-10-07 15360]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-06 580992]
R3 SndTDriverV32;SndTDriverV32; C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-12-28 513152]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys []
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 DrmCDriverV32;DrmCDriverV32; C:\WINDOWS\system32\drivers\DrmCDriverV32.sys [2007-12-26 515200]
S3 DrmCVideo32;DrmCVideo32; C:\WINDOWS\system32\DRIVERS\DrmCVideo32.sys [2007-12-26 3768]
S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2001-09-04 17990]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
S3 Jukebox;Jukebox; C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys [2004-09-28 16752]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 NCHSSVAD;SoundTap Recorder; C:\WINDOWS\system32\drivers\nchssvad.sys [2007-12-15 23616]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 RT73;Belkin USB Network Adapter; C:\WINDOWS\system32\DRIVERS\rt73.sys [2005-08-02 232192]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 Belkin Wireless USB Network Adapter Service;Belkin Wireless USB Network Adapter; C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 49152]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-02 152984]
R2 RetroExpLauncher;Retrospect Express HD Launcher; C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe [2006-02-06 73728]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-03-30 504104]
S2 RetroExp Helper;Retrospect Express HD Helper; C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe [2006-02-06 118784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\NCS\Sync\NetSvc.exe [2003-03-03 143360]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
S4 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S4 SoundMovieServer;SoundMovieServer; C:\WINDOWS\system32\snmvtsvc.exe [2007-12-28 184320]

-----------------EOF-----------------
**********

info.txt to follow in separate post...

 

[jfelske]

Virtumonde Removal - JF - Info 8.2

**********
info.txt generated by RSIT.exe
**********
info.txt logfile of random's system information tool 1.05 2009-02-02 15:09:41

======Uninstall list======

-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{410438A3-B591-4028-B70A-3CC0B33FBCD1}\Setup.exe" -l0x9 -L0x9anything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2Wire Wireless Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\Setup.exe" -l0x9 -L0x9
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
Bejeweled Deluxe 1.6z-->C:\Program Files\Zone.Com Deluxe Games\Bejeweled\UnGins.exe "C:\Program Files\Zone.Com Deluxe Games\Bejeweled\install.log"
Belkin 54g USB Network Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Belkin\Belkin Wireless Network Utility\setup.exe" -l0x9
Bespelled Deluxe 1.01-->C:\Program Files\Zone.Com Deluxe Games\Bespelled Deluxe\PopUninstall.exe "C:\Program Files\Zone.Com Deluxe Games\Bespelled Deluxe\Install.log"
Catan (remove only)-->"C:\Program Files\Yahoo! Games\Catan\Uninstall.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Citrix Endpoint Analysis Client-->MsiExec.exe /I{1C582795-778E-4B5D-AE85-518450431F28}
Citrix Presentation Server Client - Web Only-->MsiExec.exe /X{23E8D2D6-F7C8-4A35-816C-6C914EE0A601}
Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell Solution Center-->MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DS21Patch-->MsiExec.exe /I{9B79DCB0-AAD7-456B-8D07-433C936FA24B}
DVDSentry-->MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EPSON Printer Software-->C:\Program Files\EPSON\PrinterDriverTemp\SCX7400\EPUPDATE.EXE /r
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
Intel(R) PROSet-->MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes-->MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java(TM) 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LogViewer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5090856-6E87-4AE1-B6FE-DD4149CB097A}\Setup.exe" -l0x9
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Maxtor OneTouch-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{231F68F4-70E4-41A6-BEDA-7E7934169B54} /l1033
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2004-->MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Project 2000-->MsiExec.exe /I{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Retrospect Express HD 1.1-->MsiExec.exe /I{A4952AA3-FCBF-4D28-9DC4-A3935FDC5805}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\setup.exe" -l0x9 -L0x9 /SMAINT
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SoundTaxi 3.2.0-->"C:\Program Files\SoundTaxi\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
USB Storage Adapter FX (MXO)-->MXOun.exe MXOFX
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WNW Five Language Dictionary v1.9-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Accent\WNWFLD\DeIsL1.isu"

=====HijackThis Backups=====

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s (User 'NETWORK SERVICE')
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\pazozezu.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\noyajego.dll",a
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\lijeyehi.dll C:\WINDOWS\system32\behipaya.dll c:\windows\system32\modigege.dll c:\windows\system32\dukovolo.dll c:\windows\system32\noyajego.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: rundisk - C:\WINDOWS\msagent\rundisk.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\noyajego.dll
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\noyajego.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA4610] command /c del "c:\windows\system32\noyajego.dll_old"
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\noyajego.dll (file missing)
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingC2487] cmd /c del "c:\windows\system32\noyajego.dll_old"
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\noyajego.dll (file missing)
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\noyajego.dll",a
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\pazozezu.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s (User 'LOCAL SERVICE')
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\pazozezu.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s (User 'NETWORK SERVICE')
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\behipaya.dll c:\windows\system32\noyajego.dll
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\jukihoda.dll",s (User 'LOCAL SERVICE')
O4 - HKLM\..\Run: [34b6b524] rundll32.exe "C:\WINDOWS\system32\kifupiza.dll",b
O20 - AppInit_DLLs: c:\windows\system32\muzupera.dll,C:\WINDOWS\system32\zajifali.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\lakutufo.dll
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\muzupera.dll",a
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\garopudu.dll",s (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muzupera.dll
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\garopudu.dll",s (User 'LOCAL SERVICE')
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\garopudu.dll",s
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\garopudu.dll",s
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\lakutufo.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O20 - AppInit_DLLs: c:\windows\system32\muzupera.dll,C:\WINDOWS\system32\zajifali.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muzupera.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muzupera.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\garopudu.dll",s
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muzupera.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\lakutufo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muzupera.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muzupera.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'LOCAL SERVICE')
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O4 - HKLM\..\Run: [34b6b524] rundll32.exe "C:\WINDOWS\system32\fozisitu.dll",b
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/42.20/uploader2.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\godojuje.dll c:\windows\system32\numagitu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\godojuje.dll
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: c:\windows\system32\numagitu.dll,C:\WINDOWS\system32\godojuje.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'LOCAL SERVICE')
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll
O20 - AppInit_DLLs: c:\windows\system32\numagitu.dll,C:\WINDOWS\system32\godojuje.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O20 - AppInit_DLLs: c:\windows\system32\numagitu.dll,C:\WINDOWS\system32\godojuje.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - (no file)
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\godojuje.dll c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\godojuje.dll c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll (file missing)
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll (file missing)
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\godojuje.dll c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\vobulofo.dll (file missing)
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\japawisi.dll",s (User 'LOCAL SERVICE')
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\godojuje.dll c:\windows\system32\numagitu.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\numagitu.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\numagitu.dll",a
O4 - HKLM\..\Run: [34b6b524] rundll32.exe "C:\WINDOWS\system32\hozekopo.dll",b
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\dehokiju.dll",a
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\meseleru.dll",s
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\zawibavu.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\tatetimo.dll c:\windows\system32\dehokiju.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dehokiju.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dehokiju.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\dehokiju.dll",a
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\meseleru.dll",s
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\dehokiju.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dehokiju.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dehokiju.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\meseleru.dll",s
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\zawibavu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\petonuho.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\petonuho.dll
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O20 - AppInit_DLLs: C:\WINDOWS\system32\tatetimo.dll c:\windows\system32\petonuho.dll
O4 - HKLM\..\Run: [34b6b524] rundll32.exe "C:\WINDOWS\system32\miperuwo.dll",b
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "C:\WINDOWS\system32\petonuho.dll",a
O2 - BHO: (no name) - {4aafb203-85e3-4d13-94c7-a91cebdfa541} - C:\WINDOWS\system32\zawibavu.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\tatetimo.dll",s (User 'NETWORK SERVICE')
O2 - BHO: (no name) - {68a4dd92-70c3-46bb-bfb2-e6356fa0e920} - C:\WINDOWS\system32\zawibavu.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\petonuho.dll",a
O2 - BHO: (no name) - {dad410d7-a405-40bb-b4f0-12640db0845b} - C:\WINDOWS\system32\zawibavu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\tatetimo.dll",s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\petonuho.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\petonuho.dll
O2 - BHO: (no name) - {dad410d7-a405-40bb-b4f0-12640db0845b} - C:\WINDOWS\system32\zawibavu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\tatetimo.dll",s
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\petonuho.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\petonuho.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\petonuho.dll",a
O20 - AppInit_DLLs: c:\windows\system32\petonuho.dll,C:\WINDOWS\system32\tatetimo.dll,C:\WINDOWS\system32\zawibavu.dll
O2 - BHO: (no name) - {68a4dd92-70c3-46bb-bfb2-e6356fa0e920} - C:\WINDOWS\system32\zawibavu.dll
O2 - BHO: (no name) - {dad410d7-a405-40bb-b4f0-12640db0845b} - C:\WINDOWS\system32\zawibavu.dll
O2 - BHO: (no name) - {68a4dd92-70c3-46bb-bfb2-e6356fa0e920} - C:\WINDOWS\system32\zawibavu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\tatetimo.dll",s
O2 - BHO: (no name) - {dad410d7-a405-40bb-b4f0-12640db0845b} - C:\WINDOWS\system32\zawibavu.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\tatetimo.dll",s (User 'NETWORK SERVICE')
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\goriwesi.dll
O4 - HKLM\..\Run: [34b6b524] rundll32.exe "C:\WINDOWS\system32\walumure.dll",b
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\goriwesi.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\zawibavu.dll c:\windows\system32\goriwesi.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\goriwesi.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\goriwesi.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O20 - AppInit_DLLs: c:\windows\system32\goriwesi.dll,C:\WINDOWS\system32\zawibavu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\goriwesi.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\yogaguse.dll",s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O2 - BHO: (no name) - {2739d1ee-015e-49bb-bdc7-6af645f433fb} - C:\WINDOWS\system32\tatetimo.dll (file missing)
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "C:\WINDOWS\system32\hiresawo.dll",a
O2 - BHO: (no name) - {dad410d7-a405-40bb-b4f0-12640db0845b} - C:\WINDOWS\system32\zawibavu.dll (file missing)
O2 - BHO: {30bc6a48-437d-ac3a-e224-61ed269c48ac} - {ca84c962-de16-422e-a3ca-d73484a6cb03} - C:\WINDOWS\system32\ffylxp.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\yogaguse.dll",s (User 'NETWORK SERVICE')
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\hihidewa.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hohunowi.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\webayodi.dll C:\WINDOWS\system32\demazabu.dll c:\windows\system32\hohunowi.dll ffylxp.dll c:\windows\system32\hiresawo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hohunowi.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hohunowi.dll
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\hihidewa.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\yogaguse.dll",s
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\hiresawo.dll",a
O20 - AppInit_DLLs: C:\WINDOWS\system32\webayodi.dll c:\windows\system32\hiresawo.dll c:\windows\system32\hohunowi.dll,C:\WINDOWS\system32\demazabu.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hohunowi.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\yogaguse.dll",s (User 'NETWORK SERVICE')
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\hohunowi.dll",a
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\hihidewa.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\yogaguse.dll",s
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hohunowi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hohunowi.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\demazabu.dll c:\windows\system32\hohunowi.dll c:\windows\system32\hiresawo.dll,C:\WINDOWS\system32\webayodi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hiresawo.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\demazabu.dll c:\windows\system32\hiresawo.dll c:\windows\system32\hohunowi.dll,C:\WINDOWS\system32\webayodi.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\hiresawo.dll",a
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\yogaguse.dll",s
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\hihidewa.dll (file missing)
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\yogaguse.dll",s (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hiresawo.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [34b6b524] rundll32.exe "C:\WINDOWS\system32\gezehewi.dll",b
O2 - BHO: {19a553f5-242f-5998-a534-ca2290cf2403} - {3042fc09-22ac-435a-8995-f2425f355a91} - C:\WINDOWS\system32\nhbdmj.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'NETWORK SERVICE')
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\rerutemi.dll",a
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'LOCAL SERVICE')
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bufazuwa.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bufazuwa.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\demazabu.dll C:\WINDOWS\system32\pusukupu.dll nhbdmj.dll c:\windows\system32\sojomazi.dll c:\windows\system32\bufazuwa.dll c:\windows\system32\rerutemi.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\rerutemi.dll",a
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sojomazi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sojomazi.dll
O20 - AppInit_DLLs: c:\windows\system32\rerutemi.dll c:\windows\system32\sojomazi.dll c:\windows\system32\bufazuwa.dll,C:\WINDOWS\system32\pusukupu.dll
O20 - AppInit_DLLs: c:\windows\system32\rerutemi.dll c:\windows\system32\sojomazi.dll c:\windows\system32\bufazuwa.dll
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'LOCAL SERVICE')
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rerutemi.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rerutemi.dll
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pusukupu.dll C:\WINDOWS\system32\demazabu.dll mskqmb.dll c:\windows\system32\ketahope.dll
O2 - BHO: {b8855a48-ad5a-863b-71a4-b1350bf741aa} - {aa147fb0-531b-4a17-b368-a5da84a5588b} - C:\WINDOWS\system32\mskqmb.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'LOCAL SERVICE')
O4 - HKLM\..\Run: [34b6b524] rundll32.exe "C:\WINDOWS\system32\hafurive.dll",b
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s
O20 - AppInit_DLLs: C:\WINDOWS\system32\demazabu.dll c:\windows\system32\ketahope.dll,C:\WINDOWS\system32\pusukupu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll (file missing)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\demazabu.dll c:\windows\system32\ketahope.dll,C:\WINDOWS\system32\pusukupu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\demazabu.dll c:\windows\system32\ketahope.dll,C:\WINDOWS\system32\pusukupu.dll
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll (file missing)
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'NETWORK SERVICE')
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'NETWORK SERVICE')
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a
O2 - BHO: (no name) - {7b007856-d60e-48c5-9d66-34b8f6707519} - C:\WINDOWS\system32\demazabu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\mijekozu.dll",s (User 'NETWORK SERVICE')
O2 - BHO: (no name) - {7b007856-d60e-48c5-9d66-34b8f6707519} - C:\WINDOWS\system32\demazabu.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pusukupu.dll c:\windows\system32\ketahope.dll,C:\WINDOWS\system32\demazabu.dll
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll (file missing)
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\pusukupu.dll",s
O2 - BHO: (no name) - {7b007856-d60e-48c5-9d66-34b8f6707519} - C:\WINDOWS\system32\pusukupu.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\pusukupu.dll",s (User 'NETWORK SERVICE')
O2 - BHO: (no name) - {4036c1d8-1f5a-418d-b068-d9c7ede3a9e6} - C:\WINDOWS\system32\volefijo.dll (file missing)
O2 - BHO: (no name) - {fced0176-4c2d-4601-82a0-fe889444e8df} - C:\WINDOWS\system32\demazabu.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O20 - AppInit_DLLs: c:\windows\system32\ketahope.dll,C:\WINDOWS\system32\pusukupu.dll,C:\WINDOWS\system32\demazabu.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pusukupu.dll c:\windows\system32\ketahope.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pusukupu.dll c:\windows\system32\ketahope.dll
O4 - HKUS\S-1-5-20\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\pusukupu.dll",s (User 'NETWORK SERVICE')
O2 - BHO: (no name) - {a05e4245-b426-4564-9c11-93c1e80eb34a} - C:\WINDOWS\system32\demazabu.dll
O4 - HKLM\..\Run: [hedohiruda] Rundll32.exe "C:\WINDOWS\system32\demazabu.dll",s
O2 - BHO: (no name) - {fced0176-4c2d-4601-82a0-fe889444e8df} - C:\WINDOWS\system32\demazabu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ketahope.dll
O4 - HKLM\..\Run: [CPM378586b8] Rundll32.exe "c:\windows\system32\ketahope.dll",a

======Security center information======

AV: Avira AntiVir PersonalEdition (disabled)

System event log

Computer Name: LINUS
Event Code: 7036
Message: The Background Intelligent Transfer Service service entered the running state.

Record Number: 1610
Source Name: Service Control Manager
Time Written: 20080620031506.000000-420
Event Type: information
User:

Computer Name: LINUS
Event Code: 7035
Message: The Background Intelligent Transfer Service service was successfully sent a start control.

Record Number: 1609
Source Name: Service Control Manager
Time Written: 20080620031506.000000-420
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: LINUS
Event Code: 7036
Message: The iPod Service service entered the running state.

Record Number: 1608
Source Name: Service Control Manager
Time Written: 20080620031029.000000-420
Event Type: information
User:

Computer Name: LINUS
Event Code: 7035
Message: The iPod Service service was successfully sent a start control.

Record Number: 1607
Source Name: Service Control Manager
Time Written: 20080620031029.000000-420
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: LINUS
Event Code: 7036
Message: The Computer Browser service entered the stopped state.

Record Number: 1606
Source Name: Service Control Manager
Time Written: 20080620031013.000000-420
Event Type: information
User:

Application event log

Computer Name: D2R31441
Event Code: 1004
Message: Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Record Number: 9382
Source Name: MsiInstaller
Time Written: 20071031205642.000000-420
Event Type: warning
User: LINUS\Bob

Computer Name: D2R31441
Event Code: 11729
Message: Product: Microsoft Office 2000 SR-1 Professional -- Configuration failed.

Record Number: 9381
Source Name: MsiInstaller
Time Written: 20071031205305.000000-420
Event Type: information
User: LINUS\Bob

Computer Name: D2R31441
Event Code: 1001
Message: Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles' failed during request for component '{7AB02DE0-B463-11D1-96C4-0080C728108A}'

Record Number: 9380
Source Name: MsiInstaller
Time Written: 20071031205302.000000-420
Event Type: warning
User: LINUS\Bob

Computer Name: D2R31441
Event Code: 1004
Message: Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Record Number: 9379
Source Name: MsiInstaller
Time Written: 20071031205302.000000-420
Event Type: warning
User: LINUS\Bob

Computer Name: D2R31441
Event Code: 11729
Message: Product: Microsoft Office 2000 SR-1 Professional -- Configuration failed.

Record Number: 9378
Source Name: MsiInstaller
Time Written: 20071031205002.000000-420
Event Type: information
User: LINUS\Bob

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip

-----------------EOF-----------------
**********
Phew. That's a lot of information.

 

[peku006]

Hi jfelske

361 lines in the HijackThis Backups...have you deleted them yourself ?

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\ARK62.tmp
C:\ARK61.tmp
C:\ARK60.tmp
C:\ARK5E.tmp
C:\ARK5D.tmp
C:\ARK5F.tmp

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and run MBR rootkit detector by GMER

• Download mbr.exe from here and save it to your desktop
• Double-click mbr.exe to run the tool
• You will see the flash of a window, and then a log mbr.txt will be located on your desktop
• Post the contents of this log in your next reply

3 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)
2. the Gmer.log

Thanks peku006

 

[jfelske]

Virtumonde Removal - JF - Info 9

**********
ComboFix log
**********
ComboFix 09-02-02.04 - Bob 2009-02-03 16:28:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.290 [GMT -8:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\ARK5D.tmp
C:\ARK5E.tmp
C:\ARK5F.tmp
C:\ARK60.tmp
C:\ARK61.tmp
C:\ARK62.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ARK5D.tmp
C:\ARK5E.tmp
C:\ARK5F.tmp
C:\ARK60.tmp
C:\ARK61.tmp
C:\ARK62.tmp

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-02 15:09 . 2009-02-02 15:09 <DIR> d-------- C:\rsit
2009-01-28 17:24 . 2009-01-28 17:24 <DIR> d-------- C:\fsaua.data
2009-01-27 17:54 . 2009-01-28 17:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 17:54 . 2009-01-27 17:54 <DIR> d-------- c:\documents and settings\Bob\Application Data\Malwarebytes
2009-01-27 17:54 . 2009-01-27 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 17:54 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-27 17:54 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-26 19:04 . 2008-10-16 14:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-01-26 19:04 . 2008-10-16 14:06 208,744 --a------ c:\windows\SYSTEM32\muweb.dll
2009-01-26 19:04 . 2008-10-16 14:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-01-26 18:33 . 2009-01-26 18:33 504,832 --a------ C:\How to use ComboFix.doc
2009-01-26 18:22 . 2009-01-27 17:51 2,148 --a------ c:\windows\SYSTEM32\wpa.dbl
2009-01-26 16:43 . 2009-01-28 17:22 <DIR> d-------- c:\program files\Avira
2009-01-26 16:43 . 2009-01-26 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-24 15:11 . 2009-01-28 17:22 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 22:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-05 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\RetroExp
2008-12-26 21:23 --------- d-----w c:\program files\Maxtor
2008-12-26 18:51 --------- d-----w c:\program files\Retrospect
2008-12-26 18:47 33,767,936 ----a-w C:\Express_HD_EN_1_1_127.exe
2008-12-23 02:59 --------- d-----w c:\program files\CCleaner
2008-12-23 01:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-21 04:30 --------- d-----w c:\program files\Windows Live
2008-12-21 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-21 04:23 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-08 02:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-08 01:30 --------- d-----w c:\program files\Trend Micro
2008-12-07 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-07 22:23 --------- d-----w c:\program files\Common Files\PC Tools
2008-12-07 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 20:28 578,560 ----a-w c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-05 05:03 --------- d-----w c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2008-12-05 05:02 --------- d-----w c:\documents and settings\Bob\Application Data\Lavasoft
2007-12-24 16:35 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-27 02:27 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Linksys\\LogViewer\\LogViewer.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=

R3 MovRVDrv32;MovRVDrv32;c:\windows\SYSTEM32\DRIVERS\MovRVDrv32.sys [2008-01-26 3768]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\SYSTEM32\DRIVERS\ASPI32.SYS [2007-12-27 16512]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\SYSTEM32\DRIVERS\DrmCDriverV32.sys [2007-12-27 515200]
S3 DrmCVideo32;DrmCVideo32;c:\windows\SYSTEM32\DRIVERS\DrmCVideo32.sys [2007-12-27 3768]
S4 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [2008-01-26 184320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - F-SECURE_STANDALONE_MINIFILTER
*NewlyCreated* - FSBL
*NewlyCreated* - IPOD_SERVICE
*Deregistered* - F-Secure Standalone Minifilter
*Deregistered* - fsbl
.
Contents of the 'Scheduled Tasks' folder

2008-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2004-01-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 16:31:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-02-03 16:37:39
ComboFix-quarantined-files.txt 2009-02-04 00:36:22
ComboFix2.txt 2009-02-01 16:19:51

Pre-Run: 35,922,391,040 bytes free
Post-Run: 35,967,373,312 bytes free

138 --- E O F --- 2009-01-27 11:03:54
**********

**********
mbr.txt generated by mbr.exe
**********
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
**********

I couldn't find a "Gmer.log", but I hope the mbr.txt file does the trick.

Thanks!
jfelske