Virtumonde Removal Trouble

Kurt702 · Jan 31, 2009

Having issues, much like the other folks, with removing Virtumonde.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:43 PM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
D:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\DrvMon.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {ff36a9c3-526a-4850-ac75-7bc6c4853e87} - D:\WINDOWS\system32\roloropo.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Zune Launcher] "d:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hafayozifi] Rundll32.exe "D:\WINDOWS\system32\yinazeku.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [VirRL2009] "D:\Program Files\VirRL2009\VirRL2009.exe"
O4 - HKCU\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKUS\S-1-5-19\..\Run: [hafayozifi] Rundll32.exe "D:\WINDOWS\system32\yinazeku.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [hafayozifi] Rundll32.exe "D:\WINDOWS\system32\yinazeku.dll",s (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [VirRL2009] "D:\Program Files\VirRL2009\VirRL2009.exe" (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE (User '?')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: d:\windows\system32\yavozira.dll d:\windows\system32\ D:\WINDOWS\system32\gasogole.dll d:\windows\system32\ d:\windows\system32\pedabara.dll d:\windows\system32\ d:\windows\system32\hunayeko.dll d:\windows\system32\tawagifi.dll D:\WINDOWS\system32\kakijigu.dll d:\windows\system32\hememefo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\hememefo.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\hememefo.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - D:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6810 bytes

Blade81 · Feb 4, 2009

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Kurt702 · Feb 5, 2009

ComboFix 09-02-04.01 - Fluffy 2009-02-05 3:59:47.1 - NTFSx86
Running from: d:\documents and settings\Fluffy\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Fluffy\My Documents\My Documents.url
d:\documents and settings\Fluffy\My Documents\My Music\My Music.url
d:\documents and settings\Fluffy\My Documents\My Pictures\My Pictures.url
d:\documents and settings\Fluffy\My Documents\My Videos\My Video.url
d:\windows\IE4 Error Log.txt
d:\windows\system32\abojoloh.ini
d:\windows\system32\adenuhim.ini
d:\windows\system32\agejuhev.ini
d:\windows\system32\aharizep.ini
d:\windows\system32\ahohutus.ini
d:\windows\system32\akogisuf.ini
d:\windows\system32\akuluhej.ini
d:\windows\system32\akutebil.ini
d:\windows\system32\amiwarot.ini
d:\windows\system32\anodudog.ini
d:\windows\system32\apezawal.ini
d:\windows\system32\apolujet.ini
d:\windows\system32\araselos.ini
d:\windows\system32\arirahom.ini
d:\windows\system32\aromevom.ini
d:\windows\system32\asomagil.ini
d:\windows\system32\atamovar.ini
d:\windows\system32\awekiwov.ini
d:\windows\system32\azawosam.ini
d:\windows\system32\azeminaf.ini
d:\windows\system32\bafoline.dll
d:\windows\system32\bakevibe.dll
d:\windows\system32\basojefo.dll
d:\windows\system32\bekoduya.dll
d:\windows\system32\besotuja.dll.tmp
d:\windows\system32\bewivupi.dll
d:\windows\system32\boduvipe.dll
d:\windows\system32\bohahefe.dll
d:\windows\system32\bojilale.dll
d:\windows\system32\boloyahe.dll.tmp
d:\windows\system32\bosetiti.dll
d:\windows\system32\bovenage.dll
d:\windows\system32\dafumumu.dll
d:\windows\system32\debabawe.dll
d:\windows\system32\demewilu.dll.tmp
d:\windows\system32\difanuba.dll
d:\windows\system32\diguweha.dll
d:\windows\system32\dufazone.dll
d:\windows\system32\dugosupi.dll
d:\windows\system32\edihonay.ini
d:\windows\system32\eduhivik.ini
d:\windows\system32\eganevob.ini
d:\windows\system32\ehosoduy.ini
d:\windows\system32\ejakidep.ini
d:\windows\system32\enifiyif.ini
d:\windows\system32\enozafud.ini
d:\windows\system32\etamomuv.ini
d:\windows\system32\ewababed.ini
d:\windows\system32\ewosewij.ini
d:\windows\system32\eyakokak.ini
d:\windows\system32\fadonuna.dll
d:\windows\system32\falivigi.dll
d:\windows\system32\fanenoto.dll
d:\windows\system32\fegejuno.dll
d:\windows\system32\fitivipa.dll
d:\windows\system32\fiwegaha.dll.tmp
d:\windows\system32\fiyifine.dll
d:\windows\system32\folajese.dll
d:\windows\system32\fowoluye.dll
d:\windows\system32\fulajivu.dll
d:\windows\system32\funesabo.dll
d:\windows\system32\fusigoka.dll
d:\windows\system32\futagimo.dll
d:\windows\system32\gahehani.dll
d:\windows\system32\ganoseho.dll
d:\windows\system32\gasogole.dll.tmp
d:\windows\system32\gesopepo.dll
d:\windows\system32\gituyanu.dll
d:\windows\system32\godamuwe.dll
d:\windows\system32\godudona.dll
d:\windows\system32\gohahiyi.dll
d:\windows\system32\guyubaha.dll
d:\windows\system32\gxyjzc.dll
d:\windows\system32\hekemowu.dll
d:\windows\system32\hekeyapi.dll
d:\windows\system32\hibipida.dll
d:\windows\system32\hiwutiwa.dll
d:\windows\system32\holojoba.dll
d:\windows\system32\hutikovu.dll
d:\windows\system32\huyewipu.dll
d:\windows\system32\ibuyarok.ini
d:\windows\system32\ididiyed.ini
d:\windows\system32\ifitejul.ini
d:\windows\system32\ifolugal.ini
d:\windows\system32\igedadit.ini
d:\windows\system32\igiwubef.ini
d:\windows\system32\ihunehuv.ini
d:\windows\system32\ikuvivey.ini
d:\windows\system32\imivohiv.ini
d:\windows\system32\iniyotas.ini
d:\windows\system32\inuputaj.ini
d:\windows\system32\ipuviweb.ini
d:\windows\system32\iregulow.ini
d:\windows\system32\iremakum.ini
d:\windows\system32\irodudam.ini
d:\windows\system32\isusiduz.ini
d:\windows\system32\itetipef.ini
d:\windows\system32\iyihahog.ini
d:\windows\system32\izikufit.ini
d:\windows\system32\jatupuni.dll
d:\windows\system32\jehuluka.dll
d:\windows\system32\jelukahu.dll
d:\windows\system32\jijeruwa.dll.tmp
d:\windows\system32\jijuwimu.dll.tmp
d:\windows\system32\jisizosa.dll.tmp
d:\windows\system32\jitodujo.dll
d:\windows\system32\jizutamu.dll
d:\windows\system32\jobaruse.dll
d:\windows\system32\junipine.dll
d:\windows\system32\kagirevi.dll.tmp
d:\windows\system32\kakijigu.dll.tmp
d:\windows\system32\kakokaye.dll
d:\windows\system32\kasivaga.dll
d:\windows\system32\kazerevi.dll
d:\windows\system32\kefazuwa.dll
d:\windows\system32\kibigipu.dll
d:\windows\system32\kivihude.dll
d:\windows\system32\kopuroka.dll.tmp
d:\windows\system32\korayubi.dll
d:\windows\system32\kowavelo.dll
d:\windows\system32\kqbzcm.dll
d:\windows\system32\krzbnn.dll
d:\windows\system32\kubetole.dll
d:\windows\system32\kuboyohu.dll
d:\windows\system32\lagulofi.dll
d:\windows\system32\lalzfq.dll
d:\windows\system32\lawayede.dll
d:\windows\system32\lawazepa.dll
d:\windows\system32\ligamosa.dll
d:\windows\system32\lihujedo.dll
d:\windows\system32\linatopo.dll
d:\windows\system32\lufusezi.dll
d:\windows\system32\lugibifi.dll
d:\windows\system32\lujetifi.dll
d:\windows\system32\lupeyoyu.dll
d:\windows\system32\luzopobo.dll
d:\windows\system32\madudori.dll
d:\windows\system32\masibovi.dll.tmp
d:\windows\system32\masoyumu.dll
d:\windows\system32\mccnxj.dll
d:\windows\system32\menewudi.dll.tmp
d:\windows\system32\mnkiri.dll
d:\windows\system32\moharira.dll
d:\windows\system32\mukameri.dll
d:\windows\system32\musowewo.dll.tmp
d:\windows\system32\namegele.dll.tmp
d:\windows\system32\nipurowe.dll
d:\windows\system32\nitalolo.dll
d:\windows\system32\niwaluyu.dll
d:\windows\system32\nobikiwu.dll
d:\windows\system32\nobiyaki.dll
d:\windows\system32\nofirepo.dll.tmp
d:\windows\system32\nolagube.dll
d:\windows\system32\novufuvi.dll
d:\windows\system32\noyopesi.dll
d:\windows\system32\obasenuf.ini
d:\windows\system32\obijumaw.ini
d:\windows\system32\obopozul.ini
d:\windows\system32\ofazizer.ini
d:\windows\system32\ogobupaf.ini
d:\windows\system32\ohesonag.ini
d:\windows\system32\omazefik.ini
d:\windows\system32\onerabus.ini
d:\windows\system32\opeposeg.ini
d:\windows\system32\opotanil.ini
d:\windows\system32\otonenaf.ini
d:\windows\system32\owdmqt.dll
d:\windows\system32\oyorofes.ini
d:\windows\system32\padikona.dll.tmp
d:\windows\system32\papuboka.dll
d:\windows\system32\pekobuwe.dll
d:\windows\system32\penonoge.dll.tmp
d:\windows\system32\pidewaka.dll
d:\windows\system32\pinojudu.dll.tmp
d:\windows\system32\pivohude.dll.tmp
d:\windows\system32\popezaho.dll
d:\windows\system32\pumefunu.dll
d:\windows\system32\raripizu.dll.tmp
d:\windows\system32\ravezula.dll
d:\windows\system32\razinomi.dll
d:\windows\system32\rejufopa.dll.tmp
d:\windows\system32\rezadure.dll
d:\windows\system32\roloropo.dll.tmp
d:\windows\system32\ruhegozi.dll
d:\windows\system32\ruhufuga.dll
d:\windows\system32\rujamika.dll
d:\windows\system32\rukigigi.dll
d:\windows\system32\rulerujo.dll
d:\windows\system32\ruyezijo.dll
d:\windows\system32\sagujele.dll
d:\windows\system32\satoyini.dll
d:\windows\system32\segudedu.dll
d:\windows\system32\sehudoki.dll
d:\windows\system32\soboposi.dll
d:\windows\system32\solesara.dll
d:\windows\system32\sugefeso.dll
d:\windows\system32\sujobapi.dll
d:\windows\system32\suteniro.dll
d:\windows\system32\suzeyiji.dll.tmp
d:\windows\system32\suzezufu.dll
d:\windows\system32\swnpxg.dll
d:\windows\system32\tedefibu.dll
d:\windows\system32\tefifohi.dll
d:\windows\system32\tejulopa.dll
d:\windows\system32\tekulaze.dll.tmp
d:\windows\system32\telezeva.dll
d:\windows\system32\teyudasa.dll
d:\windows\system32\tidadegi.dll
d:\windows\system32\tifukizi.dll
d:\windows\system32\todolaze.dll
d:\windows\system32\ujuberuy.ini
d:\windows\system32\ukidosig.ini
d:\windows\system32\utoyulew.ini
d:\windows\system32\uvokituh.ini
d:\windows\system32\uyadejov.ini
d:\windows\system32\uyoyepul.ini
d:\windows\system32\vamayuve.dll
d:\windows\system32\vanabuje.dll
d:\windows\system32\varefaza.dll
d:\windows\system32\vasutadu.dll
d:\windows\system32\vatebapi.dll
d:\windows\system32\vehujega.dll
d:\windows\system32\vevapada.dll
d:\windows\system32\vihovimi.dll
d:\windows\system32\vojedayu.dll
d:\windows\system32\voluguhe.dll.tmp
d:\windows\system32\vosuloso.dll
d:\windows\system32\vowikewa.dll
d:\windows\system32\vudutowo.dll
d:\windows\system32\vuhenuhi.dll
d:\windows\system32\vunajopi.dll.tmp
d:\windows\system32\vuwizodi.dll
d:\windows\system32\wamujibo.dll
d:\windows\system32\wazejawe.dll
d:\windows\system32\weluyotu.dll
d:\windows\system32\werihova.dll
d:\windows\system32\weseniha.dll
d:\windows\system32\wevotegu.dll
d:\windows\system32\wideneje.dll
d:\windows\system32\wolugeri.dll
d:\windows\system32\wozijewu.dll
d:\windows\system32\wubogudo.dll
d:\windows\system32\wwhugk.dll
d:\windows\system32\xkktfr.dll
d:\windows\system32\yakituro.dll
d:\windows\system32\yebineza.dll
d:\windows\system32\yedonuse.dll
d:\windows\system32\yerulaji.dll.tmp
d:\windows\system32\yinasidu.dll
d:\windows\system32\yurezasa.dll
d:\windows\system32\zanlyr.dll
d:\windows\system32\zavomoru.dll
d:\windows\system32\zebekeli.dll
d:\windows\system32\zehejevo.dll
d:\windows\system32\zelorogi.dll
d:\windows\system32\zevehahu.dll
d:\windows\system32\zijaputa.dll
d:\windows\system32\zipejizo.dll.tmp
d:\windows\system32\ziwazele.dll
d:\windows\system32\zoravugi.dll.tmp
d:\windows\system32\zunobuli.dll
d:\windows\system32\zurafogu.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-01-31 18:04 . 2009-01-31 18:04 <DIR> d-------- d:\program files\Trend Micro
2009-01-28 18:06 . 2009-01-28 18:22 <DIR> d-------- d:\windows\Logs
2009-01-28 18:05 . 2009-01-28 18:27 <DIR> d--h----- d:\windows\msdownld.tmp
2009-01-28 16:55 . 2009-01-28 18:32 <DIR> d-------- d:\documents and settings\Fluffy\Application Data\Hamachi
2009-01-28 16:55 . 2009-01-28 16:55 25,280 --a------ d:\windows\system32\drivers\hamachi.sys
2009-01-28 15:29 . 2009-01-28 19:03 <DIR> d-------- d:\program files\BitComet
2009-01-18 18:03 . 2009-01-18 18:03 6,656 --a------ d:\windows\system32\SOUNDMAN.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 08:59 1,033,728 ----a-w d:\windows\explorer.exe
2009-01-27 19:12 --------- d-----w d:\program files\World of Warcraft
2008-12-30 01:45 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 00:58 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 00:51 --------- d-----w d:\program files\Lavasoft
2008-12-30 00:51 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-30 00:50 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-30 00:33 --------- d-----w d:\documents and settings\Administrator\Application Data\ATI
2008-12-30 00:30 --------- d-----w d:\program files\ATI
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Symantec Shared
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2008-12-27 23:52 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-27 23:52 --------- d-----w d:\program files\ThreatFire
2008-12-27 23:49 --------- d-----w d:\program files\Canon
2008-12-27 23:23 --------- d-----w d:\program files\Java
2008-12-27 23:19 --------- d-----w d:\program files\DivX
2008-12-22 14:24 --------- d-----w d:\documents and settings\Fluffy\Application Data\Media Player Classic
2008-12-20 20:37 --------- d-----w d:\documents and settings\All Users\Application Data\PC Tools
2008-12-15 14:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\AdobeUM
2008-12-15 14:52 --------- d-----w d:\program files\Common Files\Adobe
2008-12-14 23:49 --------- d-----w d:\program files\K-Lite Codec Pack
2008-12-10 19:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\Move Networks
2008-04-28 06:57 56 --sh--r d:\windows\system32\E39D4B7680.sys
2008-04-28 06:57 3,350 --sha-w d:\windows\system32\KGyGaAvL.sys
2008-09-28 01:08 29,696 --sha-w d:\windows\system32\lidituhu.dll
2008-09-18 23:03 33,792 --sha-w d:\windows\system32\pofokago.dll
2008-09-23 12:05 63,488 --sha-w d:\windows\system32\wutawiko.dll
2008-07-06 17:02 32,768 --sha-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070620080707\index.dat
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 d:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\system32\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b d:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 d:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 d:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 d:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\ServicePackFiles\i386\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\system32\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 d:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\system32\ws2_32.dll

2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b d:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 d:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc d:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 d:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 d:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2006-10-23 10:34 664576 231ef4179acabe486376b5ca893f1076 d:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
2007-01-04 09:05 665088 3ffa1573fc274e5aa7467d03941c45ee d:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
2007-02-20 04:52 665600 b258c922d22deec880b60720531d7627 d:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
2007-04-18 07:46 665600 4261ba03afd659de04f0a17dfbdd454d d:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 d:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-08-22 07:55 665600 a1bc17eb3758d73c3938b2318820f5b4 d:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 d:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e d:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 22:35 827392 41546b396a526918da7995a02ea04e51 d:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 11:01 827904 c66402a06b83b036c195242c0c8cf83c d:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 04:08 827904 77c192fe56a70d7fa0247ba0a6201c32 d:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 15:24 827904 0d5b75171ff51775b630a431b6c667e8 d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2004-08-04 07:00 656384 c0823fc5469663ba63e7db88f9919d70 d:\windows\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 d:\windows\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 d:\windows\$NtUninstallKB916281$\wininet.dll
2006-05-10 00:23 658432 38ab7a56f566d9aaad31812494944824 d:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 d:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 d:\windows\$NtUninstallKB925454$\wininet.dll
2006-10-23 10:17 658944 6b2735adff5a5d3b9130ca4a794722f0 d:\windows\$NtUninstallKB928090$\wininet.dll
2007-01-04 08:37 658944 8c393df5234cbcbff1ee31902d6b40ae d:\windows\$NtUninstallKB931768$\wininet.dll
2007-02-20 04:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 d:\windows\$NtUninstallKB933566$\wininet.dll
2007-04-18 07:31 658944 b7156cd97e739f3014bc4d61758f868a d:\windows\$NtUninstallKB937143$\wininet.dll
2007-06-26 09:09 658944 184e47c8f7b331025e6dc92740db188f d:\windows\$NtUninstallKB939653$\wininet.dll
2007-08-22 08:12 658944 1901ad51da8be9f8b38d5d526e5d1788 d:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 d:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 d:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 d:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-04-22 23:16 826368 f6589be784647cfdbc22ea51ccb1a57a d:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 11:57 826368 8c13d4a7479fa0a026eda8abce82c0ed d:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 02:24 826368 ef8eba98145bfa44e80d17a3b3453300 d:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-13 19:12 666112 7a4f775abb2f1c97def3e73afa2faedd d:\windows\ServicePackFiles\i386\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\dllcache\wininet.dll

2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 d:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 d:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 d:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 d:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c d:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 d:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 d:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\drivers\tcpip.sys

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe d:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\system32\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e d:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 d:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b d:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d d:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba d:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 d:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 d:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 d:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 d:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2057600 1d659bfb788ed2ba45075624b748d249 d:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb d:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 d:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 d:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe d:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c d:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 d:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e d:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f d:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\dllcache\ntoskrnl.exe

2009-02-05 04:09 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 d:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 d:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 d:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\ServicePackFiles\i386\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\system32\services.exe

2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 d:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\system32\lsass.exe

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 d:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\system32\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 d:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f d:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 d:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\system32\spoolsv.exe

2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff d:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\system32\userinit.exe

2004-08-04 12:00 295424 b60c877d16d9c880b952fda04adf16e6 d:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\system32\termsrv.dll

2006-07-05 05:57 985088 0fdd84928a5dde2510761b7ec76ccec9 d:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 d:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d d:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb d:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 05:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 d:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\system32\kernel32.dll

2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed d:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DrvMon.exe"="d:\windows\system32\DrvMon.exe" [2006-06-14 53248]
"SoundMan"="d:\windows\system32\SOUNDMAN.EXE" [2009-01-18 6656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="d:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Zune Launcher"="d:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"ShStatEXE"="d:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="d:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"bncsaui.exe"="d:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2008-06-29 2612616]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin F5D8053 N Wireless USB Adapter Utility.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin F5D8053 N Wireless USB Adapter Utility.lnk
backup=d:\windows\pss\Belkin F5D8053 N Wireless USB Adapter Utility.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Fluffy^Start Menu^Programs^Startup^MagicDisc.lnk]
path=d:\documents and settings\Fluffy\Start Menu\Programs\Startup\MagicDisc.lnk
backup=d:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 d:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 d:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 20:50 1603152 d:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-04-03 20:00 644696 d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2005-08-31 10:06 106496 d:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcxmon.exe]
--a------ 2007-01-12 11:57 292336 d:\program files\Dell Photo AIO Printer 926\dlcxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
--a------ 2006-11-03 17:04 304008 d:\program files\Dell Photo AIO Printer 926\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 d:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-07-26 02:03 49263 d:\program files\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 17:35 3587120 d:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-09-26 09:49 35328 d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVOLOSTA.exe]
-ra------ 2002-09-19 02:32 147541 d:\windows\system32\EVOLOSTA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"aawservice"=2 (0x2)
"helpsvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\StubInstaller.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"d:\\WINDOWS\\system32\\dlcxcoms.exe"=
"d:\\Program Files\\Bradford Networks\\Persistent Agent\\bndaemon.exe"=
"d:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"%windir%\\explorer.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"20651:TCP"= 20651:TCP:BitComet 20651 TCP
"20651:UDP"= 20651:UDP:BitComet 20651 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EVOLO;Uniden Wireless LAN Driver;d:\windows\system32\DRIVERS\EVOLONDS.sys [2002-09-02 50688]
R3 JL2005;JL2005A Toy Camera; [x]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;d:\windows\system32\DRIVERS\rt2870.sys [2007-03-13 476416]
R4 dlcx_device;dlcx_device;d:\windows\system32\dlcxcoms.exe [2006-10-11 532480]
S2 BNPagent;Bradford Persistent Agent Service;d:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2008-06-29 2944392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;d:\windows\system32\DRIVERS\USB200M2.sys [2005-04-21 18048]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BNPagent
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - mcdbus
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NetTcpPortSharing
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - Wdf01000
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
*Deregistered* - zumbus
*Deregistered* - ZuneBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Loaderw.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-04 d:\windows\Tasks\Norton Security Scan for Fluffy.job
- d:\program files\Norton Security Scan\Nss.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{ff36a9c3-526a-4850-ac75-7bc6c4853e87} - d:\windows\system32\sagujele.dll
HKCU-Run-VirRL2009 - d:\program files\VirRL2009\VirRL2009.exe
HKCU-Run-Aim6 - (no file)
SafeBoot-Wdf01000.sys
MSConfigStartUp-AIM - f:\program files\AIM95\aim.exe
MSConfigStartUp-ANIWZCS2Service - d:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-D-Link AirPlus G - d:\program files\D-Link\AirPlus G\AirGCFG.exe
MSConfigStartUp-FaxCenterServer - d:\program files\Dell PC Fax\fm3032.exe
MSConfigStartUp-QuickTime Task - d:\program files\QuickTime\QTTask.exe
MSConfigStartUp-ViewMgr - d:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: aol.com\free
FF - ProfilePath - d:\documents and settings\Fluffy\Application Data\Mozilla\Firefox\Profiles\io30lf4m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: d:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 04:07:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

d:\windows\explorer.exe:extractor6.jpg 110592 bytes executable
d:\windows\explorer.exe:maim2.jpg 800256 bytes executable
d:\windows\explorer.exe:mian.nest.9.10 18944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
d:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\ati2evxx.exe
d:\windows\system32\ati2evxx.exe
d:\program files\Lavasoft\Ad-Aware\aawservice.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\McAfee\Common Framework\FrameworkService.exe
d:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
d:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
d:\windows\system32\msiexec.exe
d:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
d:\windows\system32\ZuneBusEnum.exe
d:\program files\McAfee\Common Framework\Mctray.exe
d:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
d:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-02-05 4:12:10 - machine was rebooted [Fluffy]
ComboFix-quarantined-files.txt 2009-02-05 09:12:05

Pre-Run: 110,286,700,544 bytes free
Post-Run: 110,650,867,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect ? /NoExecute=OptIn

752 --- E O F --- 2009-02-05 09:09:52

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:00 AM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
D:\WINDOWS\system32\msiexec.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
D:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\DrvMon.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Zune Launcher] "d:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE (User '?')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - D:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5262 bytes

Blade81 · Feb 5, 2009

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitComet

I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

d:\program files\BitComet

Empty Recycle Bin.

After that:

Uninstall Java versions other than Java 6 Update 11

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
d:\windows\system32\lidituhu.dll
d:\windows\system32\pofokago.dll
d:\windows\system32\wutawiko.dll

Folder::
d:\program files\BitComet

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20651:TCP"=-
"20651:UDP"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Kurt702 · Feb 5, 2009

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 05, 2009 07:34:31
Records in database: 1754075
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 58054
Threat name: 29
Infected objects: 89
Suspicious objects: 0
Duration of the scan: 01:02:01

File name / Threat name / Threats count
D:\Documents and Settings\Fluffy\Desktop\Music Files\Download\TMD-Recruit.5.1.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
D:\Installation\CUTEFTP\CUTE30~1.EXE Infected: not-a-virus:AdWare.Win32.Aureate.a 1
D:\Installation\MIRC\MIRC32.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.56 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\bakevibe.dll.vir Infected: Trojan.Win32.Monderd.l 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\bewivupi.dll.vir Infected: Trojan.Win32.Monder.amxk 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\boduvipe.dll.vir Infected: Trojan.Win32.Agent.bilk 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\debabawe.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\fadonuna.dll.vir Infected: Trojan.Win32.Monder.aede 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\fanenoto.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\fegejuno.dll.vir Infected: Trojan.Win32.Monder.alkr 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\fitivipa.dll.vir Infected: Trojan.Win32.Monder.afvy 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\fiyifine.dll.vir Infected: Trojan.Win32.Monder.amxk 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\folajese.dll.vir Infected: Net-Worm.Win32.Kido.gq 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\fowoluye.dll.vir Infected: Trojan.Win32.Monderd.l 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\fulajivu.dll.vir Infected: Net-Worm.Win32.Kido.gq 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\ganoseho.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\hiwutiwa.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\jatupuni.dll.vir Infected: Trojan.Win32.Monder.gen 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\jehuluka.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\jitodujo.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\kakokaye.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\korayubi.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\kqbzcm.dll.vir Infected: Trojan.Win32.Agent.bktc 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\krzbnn.dll.vir Infected: Trojan.Win32.Monderd.l 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\kuboyohu.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\lawazepa.dll.vir Infected: Trojan.Win32.Monder.amxr 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\lidituhu.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\linatopo.dll.vir Infected: Trojan.Win32.Monder.aidz 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\lugibifi.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\lupeyoyu.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\madudori.dll.vir Infected: Trojan.Win32.Monder.atzw 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\masibovi.dll.tmp.vir Infected: Trojan.Win32.Agent.bilk 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\mccnxj.dll.vir Infected: Trojan.Win32.Monderd.l 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\mnkiri.dll.vir Infected: Trojan.Win32.Agent.bjxa 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\moharira.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\mukameri.dll.vir Infected: Trojan.Win32.Monder.aidz 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\nipurowe.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\nolagube.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\pekobuwe.dll.vir Infected: Trojan.Win32.Agent.bdez 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\pidewaka.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\pofokago.dll.vir Infected: Backdoor.Win32.Agent.aalh 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\ruhufuga.dll.vir Infected: Trojan-Downloader.Win32.BHO.afm 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\rulerujo.dll.vir Infected: Trojan.Win32.Agent.bdez 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\ruyezijo.dll.vir Infected: Trojan.Win32.Monder.afwb 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\solesara.dll.vir Infected: Trojan.Win32.Monder.atzw 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\sujobapi.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\suzezufu.dll.vir Infected: Trojan.Win32.Agent.bjxa 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\swnpxg.dll.vir Infected: Trojan.Win32.Monderd.l 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\tedefibu.dll.vir Infected: Trojan.Win32.Monder.afvy 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\tejulopa.dll.vir Infected: Trojan.Win32.Monder.amxn 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\telezeva.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\tidadegi.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\tifukizi.dll.vir Infected: Trojan.Win32.Monder.aidi 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\vevapada.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\vosuloso.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\vowikewa.dll.vir Infected: Trojan.Win32.Monder.atzw 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\vudutowo.dll.vir Infected: Trojan.Win32.Agent.bktc 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\wamujibo.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\weluyotu.dll.vir Infected: Trojan.Win32.Monder.atzw 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\werihova.dll.vir Infected: Trojan.Win32.Monderd.l 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\wolugeri.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\wutawiko.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\yebineza.dll.vir Infected: Packed.Win32.Krap.f 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\zehejevo.dll.vir Infected: Trojan-Downloader.Win32.Agent.awym 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\zunobuli.dll.vir Infected: Packed.Win32.Krap.f 1
D:\WINDOWS\system32\deyididi.dll Infected: Trojan.Win32.Monder.gen 1
D:\WINDOWS\system32\durumiho.dll Infected: Backdoor.Win32.Agent.aalh 1
D:\WINDOWS\system32\gisodiku.dll Infected: Trojan.Win32.Monder.gen 1
D:\WINDOWS\system32\jigesigu.dll.tmp Infected: Trojan-Downloader.Win32.BHO.afm 1
D:\WINDOWS\system32\jojopedu.dll Infected: Packed.Win32.Krap.f 1
D:\WINDOWS\system32\kabahigo.dll Infected: Trojan.Win32.Monder.alks 1
D:\WINDOWS\system32\kazuzori.dll Infected: Packed.Win32.Krap.f 1
D:\WINDOWS\system32\libetuka.dll Infected: Packed.Win32.Krap.f 1
D:\WINDOWS\system32\lizasaja.dll Infected: Packed.Win32.Krap.f 1
D:\WINDOWS\system32\masowaza.dll Infected: Trojan.Win32.Monder.aidz 1
D:\WINDOWS\system32\matiboka.dll.tmp Infected: Trojan-Downloader.Win32.BHO.afm 1
D:\WINDOWS\system32\pepufebe.dll Infected: Trojan.Win32.Monder.alks 1
D:\WINDOWS\system32\peziraha.dll Infected: Trojan.Win32.Monder.gen 1
D:\WINDOWS\system32\pumoloze.dll.tmp Infected: Trojan-Downloader.Win32.BHO.afm 1
D:\WINDOWS\system32\ravomata.dll Infected: Trojan.Win32.Monder.aidi 1
D:\WINDOWS\system32\SOUNDMAN.EXE Infected: Trojan-Downloader.Win32.Injecter.byy 1
D:\WINDOWS\system32\wowivube.dll Infected: Trojan.Win32.Monder.alks 1
D:\WINDOWS\system32\yevivuki.dll Infected: Trojan.Win32.Monder.aidi 1
D:\WINDOWS\system32\yigenomo.dll Infected: Backdoor.Win32.Agent.aalh 1
D:\WINDOWS\system32\yudosohe.dll Infected: Trojan.Win32.Monder.aidi 1
D:\WINDOWS\system32\zepakoni.dll Infected: Trojan-Spy.Win32.Agent.pni 1
D:\WINDOWS\system32\zopeyuhi.dll Infected: Backdoor.Win32.Agent.aalh 1
D:\WINDOWS\system32\zudisusi.dll Infected: Trojan.Win32.Monder.aidz 1
D:\WINDOWS\system32\zuvararo.dll Infected: Backdoor.Win32.Agent.aalh 1

The selected area was scanned.

ComboFix 09-02-04.01 - Fluffy 2009-02-05 4:47:20.2 - NTFSx86
Running from: d:\documents and settings\Fluffy\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Fluffy\Desktop\Games\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)

FILE ::
d:\windows\system32\lidituhu.dll
d:\windows\system32\pofokago.dll
d:\windows\system32\wutawiko.dll
.
ADS - explorer.exe: deleted 943526 bytes in 7 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\lidituhu.dll
d:\windows\system32\pofokago.dll
d:\windows\system32\wutawiko.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-01-31 18:04 . 2009-01-31 18:04 <DIR> d-------- d:\program files\Trend Micro
2009-01-28 18:06 . 2009-01-28 18:22 <DIR> d-------- d:\windows\Logs
2009-01-28 18:05 . 2009-01-28 18:27 <DIR> d--h----- d:\windows\msdownld.tmp
2009-01-28 16:55 . 2009-01-28 18:32 <DIR> d-------- d:\documents and settings\Fluffy\Application Data\Hamachi
2009-01-28 16:55 . 2009-01-28 16:55 25,280 --a------ d:\windows\system32\drivers\hamachi.sys
2009-01-18 18:03 . 2009-01-18 18:03 6,656 --a------ d:\windows\system32\SOUNDMAN.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 09:43 --------- d-----w d:\program files\Java
2009-02-05 09:12 1,033,728 ----a-w d:\windows\explorer.exe
2009-01-27 19:12 --------- d-----w d:\program files\World of Warcraft
2009-01-15 22:55 127,756 --sha-w d:\windows\system32\zepakoni.dll
2009-01-04 14:13 92,259 ------w d:\windows\system32\masowaza.dll
2009-01-04 02:13 89,319 ------w d:\windows\system32\ravomata.dll
2009-01-03 14:13 92,279 ------w d:\windows\system32\zudisusi.dll
2009-01-03 02:13 89,361 ------w d:\windows\system32\yevivuki.dll
2009-01-02 14:13 89,265 ------w d:\windows\system32\yudosohe.dll
2009-01-02 02:12 86,317 ------w d:\windows\system32\gisodiku.dll
2009-01-01 14:12 84,768 ------w d:\windows\system32\mihuneda.dll
2009-01-01 02:11 84,591 ------w d:\windows\system32\torawima.dll
2008-12-31 14:11 86,190 ------w d:\windows\system32\deyididi.dll
2008-12-31 02:11 86,175 ------w d:\windows\system32\peziraha.dll
2008-12-30 01:45 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 00:58 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 00:51 --------- d-----w d:\program files\Lavasoft
2008-12-30 00:51 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-30 00:50 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-30 00:33 --------- d-----w d:\documents and settings\Administrator\Application Data\ATI
2008-12-30 00:30 --------- d-----w d:\program files\ATI
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Symantec Shared
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2008-12-27 23:52 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-27 23:52 --------- d-----w d:\program files\ThreatFire
2008-12-27 23:49 --------- d-----w d:\program files\Canon
2008-12-27 23:23 410,984 ----a-w d:\windows\system32\deploytk.dll
2008-12-27 23:19 --------- d-----w d:\program files\DivX
2008-12-25 13:06 84,712 ------w d:\windows\system32\kabahigo.dll
2008-12-25 01:06 84,718 ------w d:\windows\system32\pepufebe.dll
2008-12-24 01:05 84,598 ------w d:\windows\system32\wowivube.dll
2008-12-23 13:05 84,089 ------w d:\windows\system32\jojopedu.dll
2008-12-23 00:04 83,113 ------w d:\windows\system32\kazuzori.dll
2008-12-22 14:24 --------- d-----w d:\documents and settings\Fluffy\Application Data\Media Player Classic
2008-12-22 12:04 87,251 ------w d:\windows\system32\zopeyuhi.dll
2008-12-22 00:04 87,290 ------w d:\windows\system32\durumiho.dll
2008-12-21 12:03 83,154 ------w d:\windows\system32\libetuka.dll
2008-12-20 20:37 --------- d-----w d:\documents and settings\All Users\Application Data\PC Tools
2008-12-20 00:03 83,011 ------w d:\windows\system32\lizasaja.dll
2008-12-19 12:03 87,133 ------w d:\windows\system32\yigenomo.dll
2008-12-19 00:02 87,296 ------w d:\windows\system32\zuvararo.dll
2008-12-15 14:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\AdobeUM
2008-12-15 14:52 --------- d-----w d:\program files\Common Files\Adobe
2008-12-14 23:49 --------- d-----w d:\program files\K-Lite Codec Pack
2008-12-10 19:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\Move Networks
2008-11-21 21:47 524,288 ----a-w d:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w d:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w d:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w d:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w d:\windows\system32\DivXCodecVersionChecker.exe
2008-11-10 17:23 60,032 ----a-w d:\windows\system32\ZuneBusEnum.exe
2008-11-10 17:23 243,840 ----a-w d:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 17:09 73,728 ----a-w d:\windows\system32\ZuneUsbTransport.dll
2008-11-10 17:09 57,344 ----a-w d:\windows\system32\ZuneRegUtil.dll
2008-11-10 17:09 310,272 ----a-w d:\windows\system32\ZuneNetProxy.dll
2008-11-10 17:09 18,944 ----a-w d:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 17:09 145,920 ----a-w d:\windows\system32\ZuneMTPZ.dll
2008-11-10 17:09 12,800 ----a-w d:\windows\system32\ZunePTDNS.dll
2008-04-28 06:57 56 --sh--r d:\windows\system32\E39D4B7680.sys
2008-04-28 06:57 3,350 --sha-w d:\windows\system32\KGyGaAvL.sys
2008-07-06 17:02 32,768 --sha-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070620080707\index.dat
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 d:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\system32\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b d:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 d:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 d:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 d:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\ServicePackFiles\i386\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\system32\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 d:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\system32\ws2_32.dll

2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b d:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 d:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc d:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 d:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 d:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2006-10-23 10:34 664576 231ef4179acabe486376b5ca893f1076 d:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
2007-01-04 09:05 665088 3ffa1573fc274e5aa7467d03941c45ee d:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
2007-02-20 04:52 665600 b258c922d22deec880b60720531d7627 d:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
2007-04-18 07:46 665600 4261ba03afd659de04f0a17dfbdd454d d:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 d:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-08-22 07:55 665600 a1bc17eb3758d73c3938b2318820f5b4 d:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 d:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e d:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 22:35 827392 41546b396a526918da7995a02ea04e51 d:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 11:01 827904 c66402a06b83b036c195242c0c8cf83c d:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 04:08 827904 77c192fe56a70d7fa0247ba0a6201c32 d:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 15:24 827904 0d5b75171ff51775b630a431b6c667e8 d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2004-08-04 07:00 656384 c0823fc5469663ba63e7db88f9919d70 d:\windows\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 d:\windows\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 d:\windows\$NtUninstallKB916281$\wininet.dll
2006-05-10 00:23 658432 38ab7a56f566d9aaad31812494944824 d:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 d:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 d:\windows\$NtUninstallKB925454$\wininet.dll
2006-10-23 10:17 658944 6b2735adff5a5d3b9130ca4a794722f0 d:\windows\$NtUninstallKB928090$\wininet.dll
2007-01-04 08:37 658944 8c393df5234cbcbff1ee31902d6b40ae d:\windows\$NtUninstallKB931768$\wininet.dll
2007-02-20 04:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 d:\windows\$NtUninstallKB933566$\wininet.dll
2007-04-18 07:31 658944 b7156cd97e739f3014bc4d61758f868a d:\windows\$NtUninstallKB937143$\wininet.dll
2007-06-26 09:09 658944 184e47c8f7b331025e6dc92740db188f d:\windows\$NtUninstallKB939653$\wininet.dll
2007-08-22 08:12 658944 1901ad51da8be9f8b38d5d526e5d1788 d:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 d:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 d:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 d:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-04-22 23:16 826368 f6589be784647cfdbc22ea51ccb1a57a d:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 11:57 826368 8c13d4a7479fa0a026eda8abce82c0ed d:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 02:24 826368 ef8eba98145bfa44e80d17a3b3453300 d:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-13 19:12 666112 7a4f775abb2f1c97def3e73afa2faedd d:\windows\ServicePackFiles\i386\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\dllcache\wininet.dll

2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 d:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 d:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 d:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 d:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c d:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 d:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 d:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\drivers\tcpip.sys

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe d:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\system32\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e d:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 d:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b d:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d d:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba d:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 d:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 d:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 d:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 d:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2057600 1d659bfb788ed2ba45075624b748d249 d:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb d:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 d:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 d:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe d:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c d:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 d:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e d:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f d:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\dllcache\ntoskrnl.exe

2009-02-05 04:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 d:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 d:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 d:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\ServicePackFiles\i386\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\system32\services.exe

2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 d:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\system32\lsass.exe

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 d:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\system32\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 d:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f d:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 d:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\system32\spoolsv.exe

2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff d:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\system32\userinit.exe

2004-08-04 12:00 295424 b60c877d16d9c880b952fda04adf16e6 d:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\system32\termsrv.dll

2006-07-05 05:57 985088 0fdd84928a5dde2510761b7ec76ccec9 d:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 d:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d d:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb d:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 05:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 d:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\system32\kernel32.dll

2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed d:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((( snapshot@2009-02-05_ 4.11.08.20 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DrvMon.exe"="d:\windows\system32\DrvMon.exe" [2006-06-14 53248]
"SoundMan"="d:\windows\system32\SOUNDMAN.EXE" [2009-01-18 6656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="d:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Zune Launcher"="d:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"ShStatEXE"="d:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="d:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"bncsaui.exe"="d:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2008-06-29 2612616]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin F5D8053 N Wireless USB Adapter Utility.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin F5D8053 N Wireless USB Adapter Utility.lnk
backup=d:\windows\pss\Belkin F5D8053 N Wireless USB Adapter Utility.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Fluffy^Start Menu^Programs^Startup^MagicDisc.lnk]
path=d:\documents and settings\Fluffy\Start Menu\Programs\Startup\MagicDisc.lnk
backup=d:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 d:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 d:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 20:50 1603152 d:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-04-03 20:00 644696 d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2005-08-31 10:06 106496 d:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcxmon.exe]
--a------ 2007-01-12 11:57 292336 d:\program files\Dell Photo AIO Printer 926\dlcxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
--a------ 2006-11-03 17:04 304008 d:\program files\Dell Photo AIO Printer 926\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 d:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-07-26 02:03 49263 d:\program files\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 17:35 3587120 d:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-09-26 09:49 35328 d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVOLOSTA.exe]
-ra------ 2002-09-19 02:32 147541 d:\windows\system32\EVOLOSTA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"aawservice"=2 (0x2)
"helpsvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\StubInstaller.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"d:\\WINDOWS\\system32\\dlcxcoms.exe"=
"d:\\Program Files\\Bradford Networks\\Persistent Agent\\bndaemon.exe"=
"d:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"%windir%\\explorer.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EVOLO;Uniden Wireless LAN Driver;d:\windows\system32\DRIVERS\EVOLONDS.sys [2002-09-02 50688]
R3 JL2005;JL2005A Toy Camera; [x]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;d:\windows\system32\DRIVERS\rt2870.sys [2007-03-13 476416]
R4 dlcx_device;dlcx_device;d:\windows\system32\dlcxcoms.exe [2006-10-11 532480]
S2 BNPagent;Bradford Persistent Agent Service;d:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2008-06-29 2944392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;d:\windows\system32\DRIVERS\USB200M2.sys [2005-04-21 18048]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AppMgmt
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BNPagent
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - mcdbus
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NetTcpPortSharing
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - Wdf01000
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
*Deregistered* - zumbus
*Deregistered* - ZuneBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Loaderw.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-04 d:\windows\Tasks\Norton Security Scan for Fluffy.job
- d:\program files\Norton Security Scan\Nss.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: aol.com\free
FF - ProfilePath - d:\documents and settings\Fluffy\Application Data\Mozilla\Firefox\Profiles\io30lf4m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: d:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 04:48:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
d:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-05 4:50:08
ComboFix-quarantined-files.txt 2009-02-05 09:49:55
ComboFix2.txt 2009-02-05 09:12:11

Pre-Run: 110,626,557,952 bytes free
Post-Run: 110,699,528,192 bytes free

491 --- E O F --- 2009-02-05 09:09:52

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:49 AM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
D:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\DrvMon.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Microsoft Office\Office12\WINWORD.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Zune Launcher] "d:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE (User '?')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - D:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5588 bytes

Blade81 · Feb 5, 2009

Hi,

Seems that you didn't uninstall all vulnerable Java versions yet. Please do so now since even one of these vulnerable ones puts your system under threat.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
D:\Installation\CUTEFTP\CUTE30~1.EXE
D:\WINDOWS\system32\deyididi.dll
D:\WINDOWS\system32\durumiho.dll
D:\WINDOWS\system32\gisodiku.dll
D:\WINDOWS\system32\jigesigu.dll.tmp
D:\WINDOWS\system32\jojopedu.dll
D:\WINDOWS\system32\kabahigo.dll
D:\WINDOWS\system32\kazuzori.dll
D:\WINDOWS\system32\libetuka.dll
D:\WINDOWS\system32\lizasaja.dll
D:\WINDOWS\system32\masowaza.dll
D:\WINDOWS\system32\matiboka.dll.tmp
D:\WINDOWS\system32\pepufebe.dll
D:\WINDOWS\system32\peziraha.dll
D:\WINDOWS\system32\pumoloze.dll.tmp
D:\WINDOWS\system32\ravomata.dll
D:\WINDOWS\system32\SOUNDMAN.EXE
D:\WINDOWS\system32\wowivube.dll
D:\WINDOWS\system32\yevivuki.dll
D:\WINDOWS\system32\yigenomo.dll
D:\WINDOWS\system32\yudosohe.dll
D:\WINDOWS\system32\zepakoni.dll
D:\WINDOWS\system32\zopeyuhi.dll
D:\WINDOWS\system32\zudisusi.dll
D:\WINDOWS\system32\zuvararo.dll
d:\windows\system32\mihuneda.dll
d:\windows\system32\torawima.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\StubInstaller.exe"=-
"%windir%\\explorer.exe"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Kurt702 · Feb 5, 2009

Hi and sorry for the trouble. I thought I removed the outdated Java versions, but apparently I had not. When I tried to remove J2SE Runtime Environment 5.0 Update 3 and 8 I received an error reading as follows: "Error applying transforms. Verify the specified transform paths are valid." I then went ahead and went into the D:\Program Files\Java and deleted the folders from there. I don't know if that solves the problem. Never the less, these are my logs after doing so.

ComboFix 09-02-04.01 - Fluffy 2009-02-05 15:48:47.3 - NTFSx86
Running from: d:\documents and settings\Fluffy\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Fluffy\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-01-31 18:04 . 2009-01-31 18:04 <DIR> d-------- d:\program files\Trend Micro
2009-01-28 18:06 . 2009-01-28 18:22 <DIR> d-------- d:\windows\Logs
2009-01-28 18:05 . 2009-01-28 18:27 <DIR> d--h----- d:\windows\msdownld.tmp
2009-01-28 16:55 . 2009-01-28 18:32 <DIR> d-------- d:\documents and settings\Fluffy\Application Data\Hamachi
2009-01-28 16:55 . 2009-01-28 16:55 25,280 --a------ d:\windows\system32\drivers\hamachi.sys
2009-01-18 18:03 . 2009-01-18 18:03 6,656 --a------ d:\windows\system32\SOUNDMAN.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 20:45 --------- d-----w d:\program files\Java
2009-02-05 09:12 1,033,728 ----a-w d:\windows\explorer.exe
2009-01-27 19:12 --------- d-----w d:\program files\World of Warcraft
2009-01-15 22:55 127,756 --sha-w d:\windows\system32\zepakoni.dll
2009-01-04 14:13 92,259 ------w d:\windows\system32\masowaza.dll
2009-01-04 02:13 89,319 ------w d:\windows\system32\ravomata.dll
2009-01-03 14:13 92,279 ------w d:\windows\system32\zudisusi.dll
2009-01-03 02:13 89,361 ------w d:\windows\system32\yevivuki.dll
2009-01-02 14:13 89,265 ------w d:\windows\system32\yudosohe.dll
2009-01-02 02:12 86,317 ------w d:\windows\system32\gisodiku.dll
2009-01-01 14:12 84,768 ------w d:\windows\system32\mihuneda.dll
2009-01-01 02:11 84,591 ------w d:\windows\system32\torawima.dll
2008-12-31 14:11 86,190 ------w d:\windows\system32\deyididi.dll
2008-12-31 02:11 86,175 ------w d:\windows\system32\peziraha.dll
2008-12-30 01:45 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 00:58 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 00:51 --------- d-----w d:\program files\Lavasoft
2008-12-30 00:51 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-30 00:50 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-30 00:33 --------- d-----w d:\documents and settings\Administrator\Application Data\ATI
2008-12-30 00:30 --------- d-----w d:\program files\ATI
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Symantec Shared
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2008-12-27 23:52 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-27 23:52 --------- d-----w d:\program files\ThreatFire
2008-12-27 23:49 --------- d-----w d:\program files\Canon
2008-12-27 23:23 410,984 ----a-w d:\windows\system32\deploytk.dll
2008-12-27 23:19 --------- d-----w d:\program files\DivX
2008-12-25 13:06 84,712 ------w d:\windows\system32\kabahigo.dll
2008-12-25 01:06 84,718 ------w d:\windows\system32\pepufebe.dll
2008-12-24 01:05 84,598 ------w d:\windows\system32\wowivube.dll
2008-12-23 13:05 84,089 ------w d:\windows\system32\jojopedu.dll
2008-12-23 00:04 83,113 ------w d:\windows\system32\kazuzori.dll
2008-12-22 14:24 --------- d-----w d:\documents and settings\Fluffy\Application Data\Media Player Classic
2008-12-22 12:04 87,251 ------w d:\windows\system32\zopeyuhi.dll
2008-12-22 00:04 87,290 ------w d:\windows\system32\durumiho.dll
2008-12-21 12:03 83,154 ------w d:\windows\system32\libetuka.dll
2008-12-20 20:37 --------- d-----w d:\documents and settings\All Users\Application Data\PC Tools
2008-12-20 00:03 83,011 ------w d:\windows\system32\lizasaja.dll
2008-12-19 12:03 87,133 ------w d:\windows\system32\yigenomo.dll
2008-12-19 00:02 87,296 ------w d:\windows\system32\zuvararo.dll
2008-12-15 14:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\AdobeUM
2008-12-15 14:52 --------- d-----w d:\program files\Common Files\Adobe
2008-12-14 23:49 --------- d-----w d:\program files\K-Lite Codec Pack
2008-12-10 19:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\Move Networks
2008-11-21 21:47 524,288 ----a-w d:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w d:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w d:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w d:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w d:\windows\system32\DivXCodecVersionChecker.exe
2008-11-10 17:23 60,032 ----a-w d:\windows\system32\ZuneBusEnum.exe
2008-11-10 17:23 243,840 ----a-w d:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 17:09 73,728 ----a-w d:\windows\system32\ZuneUsbTransport.dll
2008-11-10 17:09 57,344 ----a-w d:\windows\system32\ZuneRegUtil.dll
2008-11-10 17:09 310,272 ----a-w d:\windows\system32\ZuneNetProxy.dll
2008-11-10 17:09 18,944 ----a-w d:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 17:09 145,920 ----a-w d:\windows\system32\ZuneMTPZ.dll
2008-11-10 17:09 12,800 ----a-w d:\windows\system32\ZunePTDNS.dll
2008-04-28 06:57 56 --sh--r d:\windows\system32\E39D4B7680.sys
2008-04-28 06:57 3,350 --sha-w d:\windows\system32\KGyGaAvL.sys
2008-07-06 17:02 32,768 --sha-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070620080707\index.dat
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 d:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\system32\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b d:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 d:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 d:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 d:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\ServicePackFiles\i386\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\system32\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 d:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\system32\ws2_32.dll

2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b d:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 d:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc d:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 d:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 d:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2006-10-23 10:34 664576 231ef4179acabe486376b5ca893f1076 d:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
2007-01-04 09:05 665088 3ffa1573fc274e5aa7467d03941c45ee d:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
2007-02-20 04:52 665600 b258c922d22deec880b60720531d7627 d:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
2007-04-18 07:46 665600 4261ba03afd659de04f0a17dfbdd454d d:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 d:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-08-22 07:55 665600 a1bc17eb3758d73c3938b2318820f5b4 d:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 d:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e d:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 22:35 827392 41546b396a526918da7995a02ea04e51 d:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 11:01 827904 c66402a06b83b036c195242c0c8cf83c d:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 04:08 827904 77c192fe56a70d7fa0247ba0a6201c32 d:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 15:24 827904 0d5b75171ff51775b630a431b6c667e8 d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2004-08-04 07:00 656384 c0823fc5469663ba63e7db88f9919d70 d:\windows\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 d:\windows\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 d:\windows\$NtUninstallKB916281$\wininet.dll
2006-05-10 00:23 658432 38ab7a56f566d9aaad31812494944824 d:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 d:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 d:\windows\$NtUninstallKB925454$\wininet.dll
2006-10-23 10:17 658944 6b2735adff5a5d3b9130ca4a794722f0 d:\windows\$NtUninstallKB928090$\wininet.dll
2007-01-04 08:37 658944 8c393df5234cbcbff1ee31902d6b40ae d:\windows\$NtUninstallKB931768$\wininet.dll
2007-02-20 04:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 d:\windows\$NtUninstallKB933566$\wininet.dll
2007-04-18 07:31 658944 b7156cd97e739f3014bc4d61758f868a d:\windows\$NtUninstallKB937143$\wininet.dll
2007-06-26 09:09 658944 184e47c8f7b331025e6dc92740db188f d:\windows\$NtUninstallKB939653$\wininet.dll
2007-08-22 08:12 658944 1901ad51da8be9f8b38d5d526e5d1788 d:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 d:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 d:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 d:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-04-22 23:16 826368 f6589be784647cfdbc22ea51ccb1a57a d:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 11:57 826368 8c13d4a7479fa0a026eda8abce82c0ed d:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 02:24 826368 ef8eba98145bfa44e80d17a3b3453300 d:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-13 19:12 666112 7a4f775abb2f1c97def3e73afa2faedd d:\windows\ServicePackFiles\i386\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\dllcache\wininet.dll

2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 d:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 d:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 d:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 d:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c d:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 d:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 d:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\drivers\tcpip.sys

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe d:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\system32\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e d:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 d:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b d:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d d:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba d:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 d:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 d:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 d:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 d:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2057600 1d659bfb788ed2ba45075624b748d249 d:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb d:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 d:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 d:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe d:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c d:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 d:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e d:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f d:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\dllcache\ntoskrnl.exe

2009-02-05 04:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 d:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 d:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 d:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\ServicePackFiles\i386\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\system32\services.exe

2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 d:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\system32\lsass.exe

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 d:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\system32\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 d:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f d:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 d:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\system32\spoolsv.exe

2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff d:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\system32\userinit.exe

2004-08-04 12:00 295424 b60c877d16d9c880b952fda04adf16e6 d:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\system32\termsrv.dll

2006-07-05 05:57 985088 0fdd84928a5dde2510761b7ec76ccec9 d:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 d:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d d:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb d:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 05:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 d:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\system32\kernel32.dll

2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed d:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((( snapshot@2009-02-05_ 4.11.08.20 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DrvMon.exe"="d:\windows\system32\DrvMon.exe" [2006-06-14 53248]
"SoundMan"="d:\windows\system32\SOUNDMAN.EXE" [2009-01-18 6656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="d:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Zune Launcher"="d:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"ShStatEXE"="d:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="d:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"bncsaui.exe"="d:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2008-06-29 2612616]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin F5D8053 N Wireless USB Adapter Utility.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin F5D8053 N Wireless USB Adapter Utility.lnk
backup=d:\windows\pss\Belkin F5D8053 N Wireless USB Adapter Utility.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Fluffy^Start Menu^Programs^Startup^MagicDisc.lnk]
path=d:\documents and settings\Fluffy\Start Menu\Programs\Startup\MagicDisc.lnk
backup=d:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 d:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 d:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 20:50 1603152 d:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-04-03 20:00 644696 d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2005-08-31 10:06 106496 d:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcxmon.exe]
--a------ 2007-01-12 11:57 292336 d:\program files\Dell Photo AIO Printer 926\dlcxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
--a------ 2006-11-03 17:04 304008 d:\program files\Dell Photo AIO Printer 926\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 d:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 17:35 3587120 d:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-09-26 09:49 35328 d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVOLOSTA.exe]
-ra------ 2002-09-19 02:32 147541 d:\windows\system32\EVOLOSTA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"aawservice"=2 (0x2)
"helpsvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"d:\\WINDOWS\\system32\\dlcxcoms.exe"=
"d:\\Program Files\\Bradford Networks\\Persistent Agent\\bndaemon.exe"=
"d:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EVOLO;Uniden Wireless LAN Driver;d:\windows\system32\DRIVERS\EVOLONDS.sys [2002-09-02 50688]
R3 JL2005;JL2005A Toy Camera; [x]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;d:\windows\system32\DRIVERS\rt2870.sys [2007-03-13 476416]
R4 dlcx_device;dlcx_device;d:\windows\system32\dlcxcoms.exe [2006-10-11 532480]
S2 BNPagent;Bradford Persistent Agent Service;d:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2008-06-29 2944392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;d:\windows\system32\DRIVERS\USB200M2.sys [2005-04-21 18048]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AppMgmt
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BNPagent
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - mcdbus
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NetTcpPortSharing
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - Wdf01000
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
*Deregistered* - zumbus
*Deregistered* - ZuneBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Loaderw.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-04 d:\windows\Tasks\Norton Security Scan for Fluffy.job
- d:\program files\Norton Security Scan\Nss.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - d:\program files\Java\jre1.5.0_08\bin\jusched.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: aol.com\free
FF - ProfilePath - d:\documents and settings\Fluffy\Application Data\Mozilla\Firefox\Profiles\io30lf4m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: d:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 15:50:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
d:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-05 15:52:54
ComboFix-quarantined-files.txt 2009-02-05 20:52:45
ComboFix2.txt 2009-02-05 09:50:09
ComboFix3.txt 2009-02-05 09:12:11

Pre-Run: 110,791,639,040 bytes free
Post-Run: 110,840,610,816 bytes free

479 --- E O F --- 2009-02-05 09:09:52

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:13 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
D:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\DrvMon.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Winamp\winamp.exe
D:\WINDOWS\system32\msiexec.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Zune Launcher] "d:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE (User '?')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - D:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5632 bytes

Blade81 · Feb 6, 2009

Hi again,

Please download and run Windows Installer CleanUp Utility and clean signs of those two old Java entries.

Is your McAfee license still valid?

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
d:\windows\system32\zepakoni.dll
d:\windows\system32\masowaza.dll
d:\windows\system32\ravomata.dll
d:\windows\system32\zudisusi.dll
d:\windows\system32\yevivuki.dll
d:\windows\system32\yudosohe.dll
d:\windows\system32\gisodiku.dll
d:\windows\system32\mihuneda.dll
d:\windows\system32\torawima.dll
d:\windows\system32\deyididi.dll
d:\windows\system32\peziraha.dll
d:\windows\system32\kabahigo.dll
d:\windows\system32\pepufebe.dll
d:\windows\system32\wowivube.dll
d:\windows\system32\jojopedu.dll
d:\windows\system32\kazuzori.dll
d:\windows\system32\zopeyuhi.dll
d:\windows\system32\durumiho.dll
d:\windows\system32\libetuka.dll
d:\windows\system32\lizasaja.dll
d:\windows\system32\yigenomo.dll
d:\windows\system32\zuvararo.dll

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Kurt702 · Feb 6, 2009

Hello, I downloaded Windows Installer Cleanup Utility and removed the two old Java entries as instructed. I am fairly certain that my McAfee license is still valid, though it was not updated. I updated now, and re-enabled after running Combofix and HJT.

ComboFix 09-02-04.01 - Fluffy 2009-02-06 15:57:15.4 - NTFSx86
Running from: d:\documents and settings\Fluffy\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Fluffy\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)

FILE ::
d:\windows\system32\deyididi.dll
d:\windows\system32\durumiho.dll
d:\windows\system32\gisodiku.dll
d:\windows\system32\jojopedu.dll
d:\windows\system32\kabahigo.dll
d:\windows\system32\kazuzori.dll
d:\windows\system32\libetuka.dll
d:\windows\system32\lizasaja.dll
d:\windows\system32\masowaza.dll
d:\windows\system32\mihuneda.dll
d:\windows\system32\pepufebe.dll
d:\windows\system32\peziraha.dll
d:\windows\system32\ravomata.dll
d:\windows\system32\torawima.dll
d:\windows\system32\wowivube.dll
d:\windows\system32\yevivuki.dll
d:\windows\system32\yigenomo.dll
d:\windows\system32\yudosohe.dll
d:\windows\system32\zepakoni.dll
d:\windows\system32\zopeyuhi.dll
d:\windows\system32\zudisusi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\deyididi.dll
d:\windows\system32\durumiho.dll
d:\windows\system32\gisodiku.dll
d:\windows\system32\jojopedu.dll
d:\windows\system32\kabahigo.dll
d:\windows\system32\kazuzori.dll
d:\windows\system32\libetuka.dll
d:\windows\system32\lizasaja.dll
d:\windows\system32\masowaza.dll
d:\windows\system32\mihuneda.dll
d:\windows\system32\pepufebe.dll
d:\windows\system32\peziraha.dll
d:\windows\system32\ravomata.dll
d:\windows\system32\torawima.dll
d:\windows\system32\wowivube.dll
d:\windows\system32\yevivuki.dll
d:\windows\system32\yigenomo.dll
d:\windows\system32\yudosohe.dll
d:\windows\system32\zepakoni.dll
d:\windows\system32\zopeyuhi.dll
d:\windows\system32\zudisusi.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-06 15:47 . 2009-02-06 15:47 <DIR> d-------- d:\program files\Windows Installer Clean Up
2009-02-06 15:46 . 2009-02-06 15:46 <DIR> d-------- d:\program files\MSECACHE
2009-01-31 18:04 . 2009-01-31 18:04 <DIR> d-------- d:\program files\Trend Micro
2009-01-28 18:06 . 2009-01-28 18:22 <DIR> d-------- d:\windows\Logs
2009-01-28 18:05 . 2009-01-28 18:27 <DIR> d--h----- d:\windows\msdownld.tmp
2009-01-28 16:55 . 2009-01-28 18:32 <DIR> d-------- d:\documents and settings\Fluffy\Application Data\Hamachi
2009-01-28 16:55 . 2009-01-28 16:55 25,280 --a------ d:\windows\system32\drivers\hamachi.sys
2009-01-18 18:03 . 2009-01-18 18:03 6,656 --a------ d:\windows\system32\SOUNDMAN.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 20:45 --------- d-----w d:\program files\Java
2009-02-05 09:12 1,033,728 ----a-w d:\windows\explorer.exe
2009-01-27 19:12 --------- d-----w d:\program files\World of Warcraft
2008-12-30 01:45 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 00:58 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 00:51 --------- d-----w d:\program files\Lavasoft
2008-12-30 00:51 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-30 00:50 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-30 00:33 --------- d-----w d:\documents and settings\Administrator\Application Data\ATI
2008-12-30 00:30 --------- d-----w d:\program files\ATI
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Symantec Shared
2008-12-30 00:26 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2008-12-27 23:52 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-27 23:52 --------- d-----w d:\program files\ThreatFire
2008-12-27 23:49 --------- d-----w d:\program files\Canon
2008-12-27 23:23 410,984 ----a-w d:\windows\system32\deploytk.dll
2008-12-27 23:19 --------- d-----w d:\program files\DivX
2008-12-22 14:24 --------- d-----w d:\documents and settings\Fluffy\Application Data\Media Player Classic
2008-12-20 20:37 --------- d-----w d:\documents and settings\All Users\Application Data\PC Tools
2008-12-19 00:02 87,296 ------w d:\windows\system32\zuvararo.dll
2008-12-15 14:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\AdobeUM
2008-12-15 14:52 --------- d-----w d:\program files\Common Files\Adobe
2008-12-14 23:49 --------- d-----w d:\program files\K-Lite Codec Pack
2008-12-10 19:53 --------- d-----w d:\documents and settings\Fluffy\Application Data\Move Networks
2008-11-21 21:47 524,288 ----a-w d:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w d:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w d:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w d:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w d:\windows\system32\DivXCodecVersionChecker.exe
2008-11-10 17:23 60,032 ----a-w d:\windows\system32\ZuneBusEnum.exe
2008-11-10 17:23 243,840 ----a-w d:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 17:09 73,728 ----a-w d:\windows\system32\ZuneUsbTransport.dll
2008-11-10 17:09 57,344 ----a-w d:\windows\system32\ZuneRegUtil.dll
2008-11-10 17:09 310,272 ----a-w d:\windows\system32\ZuneNetProxy.dll
2008-11-10 17:09 18,944 ----a-w d:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 17:09 145,920 ----a-w d:\windows\system32\ZuneMTPZ.dll
2008-11-10 17:09 12,800 ----a-w d:\windows\system32\ZunePTDNS.dll
2008-04-28 06:57 56 --sh--r d:\windows\system32\E39D4B7680.sys
2008-04-28 06:57 3,350 --sha-w d:\windows\system32\KGyGaAvL.sys
2008-07-06 17:02 32,768 --sha-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070620080707\index.dat
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 d:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 d:\windows\system32\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b d:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 d:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 d:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 d:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\ServicePackFiles\i386\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b d:\windows\system32\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 d:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a d:\windows\system32\ws2_32.dll

2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b d:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 d:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc d:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 d:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 d:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2006-10-23 10:34 664576 231ef4179acabe486376b5ca893f1076 d:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
2007-01-04 09:05 665088 3ffa1573fc274e5aa7467d03941c45ee d:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
2007-02-20 04:52 665600 b258c922d22deec880b60720531d7627 d:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
2007-04-18 07:46 665600 4261ba03afd659de04f0a17dfbdd454d d:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 d:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-08-22 07:55 665600 a1bc17eb3758d73c3938b2318820f5b4 d:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 d:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e d:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 22:35 827392 41546b396a526918da7995a02ea04e51 d:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 11:01 827904 c66402a06b83b036c195242c0c8cf83c d:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 04:08 827904 77c192fe56a70d7fa0247ba0a6201c32 d:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 15:24 827904 0d5b75171ff51775b630a431b6c667e8 d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2004-08-04 07:00 656384 c0823fc5469663ba63e7db88f9919d70 d:\windows\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 d:\windows\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 d:\windows\$NtUninstallKB916281$\wininet.dll
2006-05-10 00:23 658432 38ab7a56f566d9aaad31812494944824 d:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 d:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 d:\windows\$NtUninstallKB925454$\wininet.dll
2006-10-23 10:17 658944 6b2735adff5a5d3b9130ca4a794722f0 d:\windows\$NtUninstallKB928090$\wininet.dll
2007-01-04 08:37 658944 8c393df5234cbcbff1ee31902d6b40ae d:\windows\$NtUninstallKB931768$\wininet.dll
2007-02-20 04:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 d:\windows\$NtUninstallKB933566$\wininet.dll
2007-04-18 07:31 658944 b7156cd97e739f3014bc4d61758f868a d:\windows\$NtUninstallKB937143$\wininet.dll
2007-06-26 09:09 658944 184e47c8f7b331025e6dc92740db188f d:\windows\$NtUninstallKB939653$\wininet.dll
2007-08-22 08:12 658944 1901ad51da8be9f8b38d5d526e5d1788 d:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 d:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 d:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 d:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-04-22 23:16 826368 f6589be784647cfdbc22ea51ccb1a57a d:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 11:57 826368 8c13d4a7479fa0a026eda8abce82c0ed d:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 02:24 826368 ef8eba98145bfa44e80d17a3b3453300 d:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-13 19:12 666112 7a4f775abb2f1c97def3e73afa2faedd d:\windows\ServicePackFiles\i386\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 d:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 d:\windows\system32\dllcache\wininet.dll

2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 d:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 d:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 d:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 d:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c d:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 d:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 d:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 d:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d d:\windows\system32\drivers\tcpip.sys

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe d:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e d:\windows\system32\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e d:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d d:\windows\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 d:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 d:\windows\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b d:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d d:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba d:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 d:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 d:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 d:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 d:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2057600 1d659bfb788ed2ba45075624b748d249 d:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 d:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 d:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb d:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 d:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 d:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe d:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c d:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 d:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e d:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f d:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 d:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 d:\windows\system32\dllcache\ntoskrnl.exe

2009-02-05 04:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 d:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 d:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 d:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 d:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\ServicePackFiles\i386\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 d:\windows\system32\services.exe

2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 d:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 d:\windows\system32\lsass.exe

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 d:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 d:\windows\system32\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 d:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f d:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 d:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b d:\windows\system32\spoolsv.exe

2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff d:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 d:\windows\system32\userinit.exe

2004-08-04 12:00 295424 b60c877d16d9c880b952fda04adf16e6 d:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f d:\windows\system32\termsrv.dll

2006-07-05 05:57 985088 0fdd84928a5dde2510761b7ec76ccec9 d:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 d:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d d:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb d:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 05:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 d:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d d:\windows\system32\kernel32.dll

2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed d:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 d:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((( snapshot@2009-02-05_ 4.11.08.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-06 15:57:55 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_7e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DrvMon.exe"="d:\windows\system32\DrvMon.exe" [2006-06-14 53248]
"SoundMan"="d:\windows\system32\SOUNDMAN.EXE" [2009-01-18 6656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="d:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Zune Launcher"="d:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"ShStatEXE"="d:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="d:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"bncsaui.exe"="d:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2008-06-29 2612616]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin F5D8053 N Wireless USB Adapter Utility.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin F5D8053 N Wireless USB Adapter Utility.lnk
backup=d:\windows\pss\Belkin F5D8053 N Wireless USB Adapter Utility.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Fluffy^Start Menu^Programs^Startup^MagicDisc.lnk]
path=d:\documents and settings\Fluffy\Start Menu\Programs\Startup\MagicDisc.lnk
backup=d:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 d:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 d:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 20:50 1603152 d:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-04-03 20:00 644696 d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2005-08-31 10:06 106496 d:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcxmon.exe]
--a------ 2007-01-12 11:57 292336 d:\program files\Dell Photo AIO Printer 926\dlcxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
--a------ 2006-11-03 17:04 304008 d:\program files\Dell Photo AIO Printer 926\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 d:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 17:35 3587120 d:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-09-26 09:49 35328 d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVOLOSTA.exe]
-ra------ 2002-09-19 02:32 147541 d:\windows\system32\EVOLOSTA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"aawservice"=2 (0x2)
"helpsvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"d:\\WINDOWS\\system32\\dlcxcoms.exe"=
"d:\\Program Files\\Bradford Networks\\Persistent Agent\\bndaemon.exe"=
"d:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EVOLO;Uniden Wireless LAN Driver;d:\windows\system32\DRIVERS\EVOLONDS.sys [2002-09-02 50688]
R3 JL2005;JL2005A Toy Camera; [x]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;d:\windows\system32\DRIVERS\rt2870.sys [2007-03-13 476416]
R4 dlcx_device;dlcx_device;d:\windows\system32\dlcxcoms.exe [2006-10-11 532480]
S2 BNPagent;Bradford Persistent Agent Service;d:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2008-06-29 2944392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;d:\windows\system32\DRIVERS\USB200M2.sys [2005-04-21 18048]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BNPagent
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - mcdbus
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mfeapfk
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mferkdk
*Deregistered* - mfetdik
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NetTcpPortSharing
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - Wdf01000
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
*Deregistered* - zumbus
*Deregistered* - ZuneBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Loaderw.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-04 d:\windows\Tasks\Norton Security Scan for Fluffy.job
- d:\program files\Norton Security Scan\Nss.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: aol.com\free
FF - ProfilePath - d:\documents and settings\Fluffy\Application Data\Mozilla\Firefox\Profiles\io30lf4m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: d:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 15:59:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
d:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-06 16:01:38
ComboFix-quarantined-files.txt 2009-02-06 21:01:26
ComboFix2.txt 2009-02-05 20:52:56
ComboFix3.txt 2009-02-05 09:50:09
ComboFix4.txt 2009-02-05 09:12:11

Pre-Run: 110,790,311,936 bytes free
Post-Run: 110,778,011,648 bytes free

505 --- E O F --- 2009-02-06 08:01:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:34 PM, on 2/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
D:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\DrvMon.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Winamp\winamp.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Zune Launcher] "d:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [DrvMon.exe] D:\WINDOWS\system32\DrvMon.exe (User '?')
O4 - HKUS\S-1-5-21-1229272821-602162358-839522115-1003\..\Run: [SoundMan] D:\WINDOWS\system32\SOUNDMAN.EXE (User '?')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - D:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5494 bytes

Blade81 · Feb 6, 2009

Ok. Almost ready there for final steps

Delete d:\windows\system32\zuvararo.dll file if found.

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
- This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

Kurt702 · Feb 7, 2009

Hello, and thank you so much for all the help! Things seem to be running much more smoothly. I am in the process of getting everything up to date as recommended. I did have a slight problem when trying to turn off the system restore though. I right clicked on My Computer, and went to properties. When I clicked on the System Restore tab, the window froze up, and it won't let me open the properties. I wasn't sure if it was wise to restart my computer, so I am waiting on further instruction to proceed.

Blade81 · Feb 7, 2009

Hi

I think it's ok to reboot at that point

Let me know how it goes after that.

Kurt702 · Feb 7, 2009

Things so be running smoothly now. Thank you so much for your time, you're a life saver.

Blade81 · Feb 7, 2009

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.

Virtumonde Removal Trouble

Kurt702

New member

Blade81

Security Expert: Emeritus

Kurt702

New member

Blade81

Security Expert: Emeritus

Kurt702

New member

Blade81

Security Expert: Emeritus

Kurt702

New member

Blade81

Security Expert: Emeritus

Kurt702

New member

Blade81

Security Expert: Emeritus

Kurt702

New member

Blade81

Security Expert: Emeritus

Kurt702

New member

Blade81

Security Expert: Emeritus