Virtumonde, Virtumonde.generic and Virtumonde.sci

[Cinnalynn]

I'm helping my sister with her computer because it's been acting strangely for the last two weeks or so. She's been getting LOTS of pop-ups and the computer is running a lot slower than usual. Awhile back I downloaded Spybot for her, and it almost always came up with some random stuff that it always fixed. I've also downloaded AVG for her. AVG will occasionally pop up an alert saying that something is trying to run. I always select for it to heal it or send it to the Virus Vault (whatever option it gives me.)

As for Spybot, I made sure the latest updates were downloaded, and ran it. It shows three different types of Virtumonde each time I do the scan. It shows Virtumonde, Virtumonde.generic and Virtumonde.sci. I click on Fix the selected problems and it almost always says it fixed Virtumonde and Virtumonde.generic. As for Virtumonde.sci it says that it can't fix it, and asks to run Spybot when I restart. I always select for it to run after rebooting, but Virtumonde and Virtumonde.generic is right back in there when it scans after restarting. And although it told me it couldn't fix Virtumonde.sci, right after I restarted it didn't show it in the list anymore. It's done this before, but if I run Spybot again, those three are right back in there together again. Also, I know the problem is still lurking because the pop-ups keep on coming. I don't know what to do about this and my sister is completely clueless.

She had Limewire on her computer, but I told her that it needed to be deleted. I've removed that, and ran Spybot again, but it's still showing the Virtumonde triplets. My nieces have downloaded stuff in the past, and it's taken awhile for me to get the mess cleaned up, but this time I really don't have a clue. I thought about running AVG again, but I figured it was time to ask someone for help, since I just keep getting the same results! Any help would be GREATLY appreciated!

I've read that you're supposed to include a HiJackThis log, so here's what I've got:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:08 PM, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\shawn\My Documents\zMy junk\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {097E3736-C630-4259-BB64-93EB5A89397E} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9720BE37-C9F3-4105-8A36-FB1E9EAF4ABD} - (no file)
O2 - BHO: (no name) - {99761E86-2EB4-429A-BBD5-78A5F21A798B} - C:\WINDOWS\system32\byXNfDWm.dll (file missing)
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O2 - BHO: (no name) - {F24895E2-2CDC-402E-A77A-81EBFF5ED2A7} - (no file)
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\shawn\Application Data\Deskbar_{DA39F114-6611-4752-8CA7-52D12725001A}\starter.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Policies\Explorer\Run: [{D428E353-0BB0-1033-0115-040822030001}] "C:\Program Files\Common Files\{D428E353-0BB0-1033-0115-040822030001}\Update.exe" mc-110-12-0000140
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jojo's%20Fashion%20Show/Images/stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Burger%20Shop/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D323756-C583-4998-8535-84A6329AC1AE}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: jkkHXQJD - jkkHXQJD.dll (file missing)
O22 - SharedTaskScheduler: OLE Object - {E3FEA57B-2FE7-478B-92B4-4CB9CAFAE4D3} - C:\WINDOWS\system32\barseek.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\shawn\My Documents\My Pictures\2005-06 (Jun)\chelsey_at_beach.jpg

--
End of file - 6864 bytes

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

It is very important the "Before you Post" directions are read and followed, since HJT is not located according to the instructions, please follow these directions.

1) Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until I ask for a log after combofix has been run.

2) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

 

[Cinnalynn]

The logs you asked for

I've noticed that the forums are really busy, so I really appreciate your help. Thanks a bunch!!! First off, I have thoroughly read "Before you Post".

1) I downloaded Hijack This to my desktop.
2) I will not enable TeaTimer until/unless you tell me to.
3) I have not used ComboFix on my own. I downloaded it on the first day I posted because the "Before you Post" thread mentioned that some helpers may ask for me to use it. Now I understand that it's an ever-changing tool, so I deleted the one I had, and re-downloaded it from one of the Links you provided. Below is the log for ComboFix and directly after it is my Hijack This log.

ComboFix Log:​

ComboFix 09-01-05.05 - shawn 2009-01-06 15:02:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.416 [GMT -5:00]
Running from: c:\documents and settings\shawn\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\desktop.ini
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\shawn\Application Data\CURITY~1
c:\documents and settings\shawn\Application Data\DOBE~1
c:\documents and settings\shawn\Application Data\Dxcknwrd.dll
c:\documents and settings\shawn\Application Data\Google\T-Scan
c:\documents and settings\shawn\Application Data\ICROSO~1
c:\documents and settings\shawn\Application Data\Install.dat
c:\documents and settings\shawn\Application Data\PPATCH~1
c:\documents and settings\shawn\Application Data\PPPATC~1
c:\documents and settings\shawn\Application Data\RACLE~1
c:\documents and settings\shawn\Application Data\SKS~1
c:\documents and settings\shawn\Application Data\SSEMBL~1
c:\documents and settings\shawn\Application Data\TSKS~1
c:\documents and settings\shawn\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\{3428E~1
c:\program files\Common Files\{3428E~1\toolbardll.lzma
c:\program files\Common Files\{D428E~1
c:\program files\Common Files\{D428E~2
c:\program files\Common Files\asembl~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\ecurit~1
c:\program files\Common Files\fnts~1
c:\program files\Common Files\smbols~1
c:\program files\Common Files\sstem3~1
c:\program files\icroso~1.net
c:\program files\mcroso~1.net
c:\program files\outlook
c:\program files\ystem~1
c:\recycler\ADAPT_Installer.exe
c:\windows\asks~1
c:\windows\dobe~1
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\icroso~1
c:\windows\ppatch~1
c:\windows\racle~1
c:\windows\Readme.txt
c:\windows\system32\_003602_.tmp.dll
c:\windows\system32\_003603_.tmp.dll
c:\windows\system32\_003604_.tmp.dll
c:\windows\system32\_003605_.tmp.dll
c:\windows\system32\_003612_.tmp.dll
c:\windows\system32\_003613_.tmp.dll
c:\windows\system32\_003614_.tmp.dll
c:\windows\system32\_003616_.tmp.dll
c:\windows\system32\_003617_.tmp.dll
c:\windows\system32\_003620_.tmp.dll
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003623_.tmp.dll
c:\windows\system32\_003624_.tmp.dll
c:\windows\system32\_003625_.tmp.dll
c:\windows\system32\_003627_.tmp.dll
c:\windows\system32\_003630_.tmp.dll
c:\windows\system32\_003631_.tmp.dll
c:\windows\system32\_003635_.tmp.dll
c:\windows\system32\_003636_.tmp.dll
c:\windows\system32\_003638_.tmp.dll
c:\windows\system32\_003641_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003644_.tmp.dll
c:\windows\system32\_003645_.tmp.dll
c:\windows\system32\_003646_.tmp.dll
c:\windows\system32\_003649_.tmp.dll
c:\windows\system32\_003650_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003652_.tmp.dll
c:\windows\system32\_003653_.tmp.dll
c:\windows\system32\_003658_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_005922_.tmp.dll
c:\windows\system32\_005923_.tmp.dll
c:\windows\system32\_005924_.tmp.dll
c:\windows\system32\_005925_.tmp.dll
c:\windows\system32\_005932_.tmp.dll
c:\windows\system32\_005933_.tmp.dll
c:\windows\system32\_005934_.tmp.dll
c:\windows\system32\_005935_.tmp.dll
c:\windows\system32\_005937_.tmp.dll
c:\windows\system32\_005938_.tmp.dll
c:\windows\system32\_005941_.tmp.dll
c:\windows\system32\_005942_.tmp.dll
c:\windows\system32\_005944_.tmp.dll
c:\windows\system32\_005945_.tmp.dll
c:\windows\system32\_005946_.tmp.dll
c:\windows\system32\_005948_.tmp.dll
c:\windows\system32\_005949_.tmp.dll
c:\windows\system32\_005951_.tmp.dll
c:\windows\system32\_005952_.tmp.dll
c:\windows\system32\_005956_.tmp.dll
c:\windows\system32\_005957_.tmp.dll
c:\windows\system32\_005959_.tmp.dll
c:\windows\system32\_005962_.tmp.dll
c:\windows\system32\_005964_.tmp.dll
c:\windows\system32\_005965_.tmp.dll
c:\windows\system32\_005966_.tmp.dll
c:\windows\system32\_005967_.tmp.dll
c:\windows\system32\_005968_.tmp.dll
c:\windows\system32\_005971_.tmp.dll
c:\windows\system32\_005972_.tmp.dll
c:\windows\system32\_005973_.tmp.dll
c:\windows\system32\_005974_.tmp.dll
c:\windows\system32\_005975_.tmp.dll
c:\windows\system32\_005980_.tmp.dll
c:\windows\system32\_005982_.tmp.dll
c:\windows\system32\_005983_.tmp.dll
c:\windows\system32\_006871_.tmp.dll
c:\windows\system32\_006872_.tmp.dll
c:\windows\system32\_006873_.tmp.dll
c:\windows\system32\_006874_.tmp.dll
c:\windows\system32\_006881_.tmp.dll
c:\windows\system32\_006882_.tmp.dll
c:\windows\system32\_006883_.tmp.dll
c:\windows\system32\_006885_.tmp.dll
c:\windows\system32\_006886_.tmp.dll
c:\windows\system32\_006889_.tmp.dll
c:\windows\system32\_006890_.tmp.dll
c:\windows\system32\_006892_.tmp.dll
c:\windows\system32\_006893_.tmp.dll
c:\windows\system32\_006894_.tmp.dll
c:\windows\system32\_006896_.tmp.dll
c:\windows\system32\_006899_.tmp.dll
c:\windows\system32\_006900_.tmp.dll
c:\windows\system32\_006904_.tmp.dll
c:\windows\system32\_006905_.tmp.dll
c:\windows\system32\_006907_.tmp.dll
c:\windows\system32\_006910_.tmp.dll
c:\windows\system32\_006912_.tmp.dll
c:\windows\system32\_006913_.tmp.dll
c:\windows\system32\_006914_.tmp.dll
c:\windows\system32\_006915_.tmp.dll
c:\windows\system32\_006918_.tmp.dll
c:\windows\system32\_006919_.tmp.dll
c:\windows\system32\_006920_.tmp.dll
c:\windows\system32\_006921_.tmp.dll
c:\windows\system32\_006922_.tmp.dll
c:\windows\system32\_006927_.tmp.dll
c:\windows\system32\_006929_.tmp.dll
c:\windows\system32\_006930_.tmp.dll
c:\windows\system32\bggeqcsg.ini
c:\windows\system32\bszip.dll
c:\windows\system32\bund1
c:\windows\system32\bund1\temp.txt
c:\windows\system32\cauarnoy.dll
c:\windows\system32\cmd.com
c:\windows\system32\crosof~1
c:\windows\system32\fcncwbdh.dll
c:\windows\system32\hdbwcncf.ini
c:\windows\system32\hNVEdMoq.ini
c:\windows\system32\imas3r
c:\windows\system32\kr_done1
c:\windows\system32\mcrh.tmp
c:\windows\system32\micro1
c:\windows\system32\netstat.com
c:\windows\system32\ntlyeeft.ini
c:\windows\system32\omfcuf.dll
c:\windows\system32\owtooa.dll
c:\windows\system32\ping.com
c:\windows\system32\qoMdEVNh.dll
c:\windows\system32\racle~1
c:\windows\system32\sstem~1
c:\windows\system32\svchosts.lzma
c:\windows\system32\taskkill.com
c:\windows\system32\taskkill.exe
c:\windows\system32\tasklist.com
c:\windows\system32\tdubbpea.ini
c:\windows\system32\tfeeyltn.dll
c:\windows\system32\tracert.com
c:\windows\system32\wpqxjgdb.ini
c:\windows\SYSTEM32\wybeg.bak1
c:\windows\system32\wybeg.ini
c:\windows\system32\xjnaduak.dll
c:\windows\system32\yekbd.ini

----- BITS: Possible infected sites -----

hxxp://rad.mj+|Cv+@J:NGD_DQ{ztHG.X^"pWMTrWU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXudpdpdpdptHG.XGD_DQ{zGD_DQ{ztHG.Xt%4CE#rAC_ASSETXML_1348404
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APIMON
-------\Legacy_CLIENT_IP-IPX
-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR
-------\Legacy_OREANS32
-------\Legacy_WINDOWS_LOG
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_Client IP-IPX
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 14:50 . 2009-01-06 14:50 <DIR> d-------- c:\program files\Trend Micro
2008-12-30 22:23 . 2008-12-30 22:23 <DIR> d-------- C:\VundoFix Backups
2008-12-21 18:14 . 2008-12-21 18:17 <DIR> d-------- c:\documents and settings\shawn\Application Data\Fotobook Editor
2008-12-21 18:05 . 2008-12-21 18:05 <DIR> d-------- c:\documents and settings\shawn\Application Data\Zoner
2008-12-21 17:34 . 2008-12-21 18:17 <DIR> d-------- c:\program files\FrameMaster2
2008-12-21 17:04 . 2008-12-21 17:05 <DIR> d-------- c:\documents and settings\shawn\Application Data\Snapfish
2008-12-21 14:23 . 2008-12-21 14:23 <DIR> d-------- C:\MSIa0b45.tmp
2008-12-21 14:23 . 2008-12-21 14:23 <DIR> d-------- C:\MSIa0b3b.tmp
2008-12-21 14:00 . 2008-12-21 14:00 <DIR> d-------- C:\MSIa0b17.tmp
2008-12-19 20:05 . 2006-10-04 09:06 1,197,294 --------- c:\windows\SYSTEM32\DLLCACHE\sysmain.sdb
2008-12-19 20:05 . 2006-10-04 09:06 764,868 --------- c:\windows\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-12-19 20:05 . 2006-10-04 09:06 217,118 --------- c:\windows\SYSTEM32\DLLCACHE\apphelp.sdb
2008-12-19 20:04 . 2008-12-19 20:04 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-19 19:59 . 2008-12-19 19:59 <DIR> d-------- c:\windows\SYSTEM32\LogFiles
2008-12-19 19:59 . 2008-12-19 20:02 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\UMDF
2008-12-17 17:45 . 2008-08-14 04:58 2,136,064 --a------ c:\windows\SYSTEM32\ntoskrnl.exe
2008-12-07 23:40 . 2004-02-10 12:56 <DIR> d-------- c:\documents and settings\Chelsey.STEPHANIE\Application Data\Sonic
2008-12-07 23:40 . 2004-02-10 12:59 <DIR> d-------- c:\documents and settings\Chelsey.STEPHANIE\Application Data\Jasc Software Inc
2008-12-07 23:40 . 2008-12-07 23:40 <DIR> d-------- c:\documents and settings\Chelsey.STEPHANIE
2008-12-07 16:51 . 2009-01-02 02:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-07 16:28 . 2009-01-06 14:54 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2008-12-07 16:28 . 2008-12-07 16:28 <DIR> d-------- c:\program files\AVG
2008-12-07 16:28 . 2008-12-07 16:28 <DIR> d-------- c:\documents and settings\shawn\Application Data\AVGTOOLBAR
2008-12-07 16:28 . 2008-12-07 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-07 16:28 . 2008-12-07 16:28 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2008-12-07 16:28 . 2008-12-07 16:28 76,040 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2008-12-07 16:28 . 2008-12-07 16:28 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-06 01:17 --------- d-----w c:\documents and settings\shawn\Application Data\OpenOffice.org2
2009-01-03 20:13 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-31 23:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-31 20:01 --------- d-----w c:\program files\LimeWire
2008-12-27 07:31 --------- d-----w c:\documents and settings\shawn\Application Data\MSN6
2008-12-20 19:15 --------- d-----w c:\program files\Norton PC Checkup
2008-12-07 21:51 --------- d-----w c:\documents and settings\shawn\Application Data\OOZE ONE MANAGER
2008-12-04 17:10 --------- d-----w c:\documents and settings\shawn\Application Data\U3
2008-11-28 02:59 --------- d--h--w c:\documents and settings\shawn\Application Data\Move Networks
2008-11-28 02:52 --------- d-----w c:\program files\Java
2008-11-28 02:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 02:51 --------- d-----w c:\program files\ArcSoft
2008-11-28 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-28 02:42 --------- d-----w c:\program files\iWin.com
2008-11-28 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2008-11-28 02:41 --------- d-----w c:\program files\DivX
2008-11-25 01:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 06:10 --------- d-----w c:\documents and settings\shawn\Application Data\Gamelab
2008-11-23 06:06 --------- d-----w c:\documents and settings\shawn\Application Data\Valusoft
2008-11-23 06:06 --------- d-----w c:\documents and settings\All Users\Application Data\Valusoft
2008-11-23 05:54 --------- d-----w c:\documents and settings\shawn\Application Data\EleFun Games
2008-11-23 04:54 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2008-11-22 23:02 --------- d-----w c:\documents and settings\shawn\Application Data\Home Sweet Home 2
2008-11-22 22:49 --------- d-----w c:\documents and settings\shawn\Application Data\MysteryStudio
2008-11-20 04:14 --------- d-----w c:\documents and settings\Chelsey's Ipod\Application Data\U3
2008-11-20 03:33 --------- d-----w c:\program files\A-PDF Image to PDF
2008-11-20 03:02 --------- d-----w c:\program files\Smart PDF Creator
2008-11-15 02:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 21:42 --------- d-----w c:\documents and settings\Chelsey\Application Data\LimeWire
2008-11-13 19:34 --------- d-----w c:\program files\EscapefromParadise_at
2008-11-06 20:26 44,944 ------w c:\windows\system32\drivers\pxhelp20.sys
2008-08-10 03:55 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-08-10 03:54 88 --sh--r c:\documents and settings\All Users\Application Data\BB3CBF7BC7.sys
2006-01-20 04:40 66 ----a-w c:\documents and settings\shawn\Application Data\SQSDRVRM.SYS
2007-11-09 23:00 88 --sh--r c:\windows\SYSTEM32\BB3CBF7BC7.sys
2004-10-26 00:43 56 --sh--r c:\windows\SYSTEM32\C77BBF3CBB.sys
2007-11-09 23:00 5,018 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-11 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-07 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\shawn\My Documents\My Pictures\2005-06 (Jun)\chelsey_at_beach.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^shawn^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\shawn\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-04 02:56 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 13:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-06-21 05:40 172032 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 12:03 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
--a------ 2008-06-12 15:57 991584 c:\program files\Search Settings\SearchSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-11 12:24 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-12-07 97928]
R1 MgTaki;MgTaki;c:\windows\SYSTEM32\DRIVERS\mgtaki.sys [2006-12-05 31719]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-07 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-07 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-12-07 76040]
R4 dvdmmg;dvdmmg;c:\windows\SYSTEM32\DRIVERS\dvdmmg.sys [2007-09-06 5504]
R4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\SYSTEM32\DRIVERS\cccp106.sys [2004-09-24 227200]
S4 Ca533av;USB PC Camera; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{550b18be-9225-11dd-ac52-000cf19c9c44}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\8C14AEEE98074742.job
- c:\docume~1\shawn\applic~1\oozeon~1\Remote Load Clock.exe []

2009-01-06 c:\windows\Tasks\fpkbclmk.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-01 c:\windows\Tasks\Norton PC Checkup WeekDay Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-20 14:15]

2009-01-04 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-20 14:15]

2004-03-13 c:\windows\Tasks\WebReg 20040313094532.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2004-05-28 21:47]

2004-04-02 c:\windows\Tasks\WebReg 20040402170659.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2004-05-28 21:47]

2005-05-02 c:\windows\Tasks\WebReg 20050501234559.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2004-05-28 21:47]

2009-01-06 c:\windows\Tasks\xdlzmcfs.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{097E3736-C630-4259-BB64-93EB5A89397E} - (no file)
BHO-{9720BE37-C9F3-4105-8A36-FB1E9EAF4ABD} - (no file)
BHO-{99761E86-2EB4-429A-BBD5-78A5F21A798B} - c:\windows\system32\byXNfDWm.dll
BHO-{F24895E2-2CDC-402E-A77A-81EBFF5ED2A7} - (no file)
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Explorer_Run-{D428E353-0BB0-1033-0115-040822030001} - c:\program files\Common Files\{D428E353-0BB0-1033-0115-040822030001}\Update.exe
SharedTaskScheduler-{E3FEA57B-2FE7-478B-92B4-4CB9CAFAE4D3} - c:\windows\system32\barseek.dll
Notify-jkkHXQJD - jkkHXQJD.dll
MSConfigStartUp-Cleanup - c:\docume~1\shawn\LOCALS~1\Temp\2006524153326_mcappins.exe
MSConfigStartUp-KAZAA - c:\program files\Kazaa\kazaa.exe
MSConfigStartUp-lssas - c:\windows\System\lssas.exe
MSConfigStartUp-morerule - c:\docume~1\shawn\APPLIC~1\OOZEON~1\Dart Second.exe
MSConfigStartUp-orderShell - c:\documents and settings\shawn\orderwbyj.exe
MSConfigStartUp-Smiley District - c:\program files\SmileyDistrict\plugin.exe
MSConfigStartUp-sys0235517869-7 - c:\windows\sys0235517869-7.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
TCP: {7D323756-C583-4998-8535-84A6329AC1AE} = 192.168.0.1

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Jojo's%20Fashion%20Show/Images/stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Burger%20Shop/Images/armhelper.ocx
FF - ProfilePath - c:\documents and settings\shawn\Application Data\Mozilla\Firefox\Profiles\nhadfhk9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\shawn\Application Data\Mozilla\Firefox\Profiles\nhadfhk9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\shawn\Application Data\Mozilla\plugins\NpIpx32.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nprjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 15:13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1008245898-3590503604-2473583679-1007\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,5a,4e,2e,ef,6c,\
85,66,86,e2,63,26,f1,3f,c8,ff,68,27,b1,a1,f2,85,17,78,1b,e2,63,26,f1,3f,c8,\
ff,68,a7,63,34,1f,2b,c2,fa,34,2e,e8,e1,00,eb,16,2b,de,ba,d2,63,f6,6c,c7,f0,\
33,5a,ab,f4,09

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,d6,84,b3,bf,30,\
aa,8a,a2,6a,9c,d6,61,af,45,84,18,4b,40,7b,43,c0,98,fa,5c,6a,9c,d6,61,af,45,\
84,18,c1,ce,4b,b2,26,72,16,a2,71,3b,04,66,8b,46,0d,96,da,0f,29,96,f6,9e,b0,\
9a,a6,de,ed,59

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,70,57,2f,65,d2,\
93,8d,19,ff,7c,85,e0,43,d4,0e,fe,f3,e2,4a,ae,e2,ef,9d,44,ff,7c,85,e0,43,d4,\
0e,fe,c5,59,00,09,99,26,83,61,25,da,ec,7e,55,20,c9,26,c4,d3,53,e6,e1,88,a3,\
8d,5a,6d,da,d8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,44,eb,cd,52,e1,\
3e,03,71,86,8c,21,01,be,91,eb,e7,e8,19,ea,55,bf,e8,d9,08,86,8c,21,01,be,91,\
eb,e7,b0,cf,6d,a5,b5,9b,73,78,3e,1e,9e,e0,57,5a,93,61,3b,5a,ba,01,13,3f,de,\
fc,c6,d7,04,df

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,41,8f,ac,64,66,\
60,46,3f,f5,1d,4d,73,a8,13,5c,05,8f,6c,28,d7,6e,b0,44,33,f5,1d,4d,73,a8,13,\
5c,05,da,b3,1e,5f,f7,ad,ee,3b,cd,44,cd,b9,a6,33,6c,cd,29,0a,ae,21,85,08,5b,\
8c,10,b4,c5,b5

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,e5,3a,f3,48,f1,\
e7,7b,76,df,20,58,62,78,6b,cf,c8,ce,a7,34,2f,f7,be,34,5d,df,20,58,62,78,6b,\
cf,c8,40,5a,44,df,11,88,48,75,b0,18,ed,a7,3f,8d,37,a4,e2,85,61,35,3d,21,dc,\
ce,d0,d3,d5,c7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,a8,7c,36,fb,49,\
fb,4c,86,fb,a7,78,e6,12,2f,9a,ea,f5,95,a6,61,93,ac,a8,3a,fb,a7,78,e6,12,2f,\
9a,ea,d9,d0,3f,26,63,c1,2a,76,fb,a7,78,e6,12,2f,9a,ea,80,44,65,88,ed,e3,18,\
7b,cd,99,8a,a7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,26,8b,6f,e3,f5,\
82,81,a9,01,3a,48,fc,e8,04,4a,f1,6b,65,8d,b4,3f,21,9b,3c,01,3a,48,fc,e8,04,\
4a,f1,04,97,b2,1c,92,90,ee,00,01,3a,48,fc,e8,04,4a,f1,4b,7d,7f,ff,c6,9c,f4,\
ec,3d,8f,31,e4

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,fc,4d,ee,19,0e,\
74,81,90,f6,0f,4e,58,98,5b,89,c9,c5,cb,96,00,cc,0e,35,9f,f6,0f,4e,58,98,5b,\
89,c9,6e,a7,13,f0,d2,36,67,28,51,fa,6e,91,28,9e,14,cc,86,3a,d4,e9,d0,21,b5,\
a9,17,df,39,a6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,51,5a,b4,4c,7f,\
39,ae,3b,3d,ce,ea,26,2d,45,aa,78,fe,4e,f2,3a,ef,d8,1e,00,3d,ce,ea,26,2d,45,\
aa,78,c5,90,87,88,e6,c7,12,17,b1,cd,45,5a,a8,c4,f8,b9,2a,3d,36,1b,d3,2f,ab,\
cc,fa,fa,5e,14

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,48,fb,75,ca,34,\
7b,ab,b3,2a,b7,cc,b5,b9,7f,41,e7,c0,dd,8c,d1,bc,f6,b6,88,2a,b7,cc,b5,b9,7f,\
41,e7,29,b5,93,88,65,fb,20,5d,2a,b7,cc,b5,b9,7f,41,e7,bc,18,c8,52,97,5d,0f,\
d2,f7,fc,96,7f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,39,2c,ce,49,a2,\
ab,8a,16,6c,43,2d,1e,aa,22,2f,9c,2e,17,fb,de,5a,ae,2e,81,6c,43,2d,1e,aa,22,\
2f,9c,d6,c1,37,86,1c,96,31,88,fa,ea,66,7f,d4,3b,6b,70,31,85,c2,cb,3a,6f,1e,\
94,91,ea,b9,50

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\J*NULL*o*NULL*j*NULL*o*NULL*'*NULL*s*NULL* *NULL*F*NULL*a*NULL*s*NULL*h*NULL*i*NULL*o*NULL*n*NULL* *NULL*S*NULL*h*NULL*o*NULL*w*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,30,66,02,00,00,00,00,f4,d3,04,\
10,03,d8,c8,01,07,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,69,00,57,00,69,00,6e,\
00,20,00,47,00,61,00,6d,00,65,00,73,00,5c,00,69,00,57,00,69,00,6e,00,47,00,\
61,00,6d,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\DRIVERS\CDAC11BA.EXE
c:\windows\SYSTEM32\HPZipm12.exe
c:\windows\SYSTEM32\PSIService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-06 15:23:28 - machine was rebooted [shawn]
ComboFix-quarantined-files.txt 2009-01-06 20:23:11

Pre-Run: 17,701,806,080 bytes free
Post-Run: 17,901,211,648 bytes free

577 --- E O F --- 2009-01-06 04:52:17

Hijack This Log:​

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:49 AM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jojo's%20Fashion%20Show/Images/stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Burger%20Shop/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D323756-C583-4998-8535-84A6329AC1AE}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\shawn\My Documents\My Pictures\2005-06 (Jun)\chelsey_at_beach.jpg

--
End of file - 5907 bytes

4) Below is the uninstall list. I'm sorry, I didn't delete anything out. I see plenty of Hotfix and Microsoft stuff on the list, but I'm wary of deleting anything, for fear of making a mistake. Sorry. :red:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Stock Photos 1.0
A-PDF Image to PDF 1.0
ArcSoft VideoImpression 2
AVG Free 8.0
Barbie(R) Digital Makeover(TM)
CCleaner (remove only)
Cda Product Service - shared component
CIF USB Camera (2110A)
Conexant D850 56K V.9x DFVc Modem
Conexant SmartHSFi V.9x 56K DF PCI Modem
Dell Digital Jukebox Driver
Dell Solution Center
Dell Support
DellSupport
DVD Photo Slideshow 3.00
DVDSentry
DVDXCopy Xpress 3.2.1
Escape from Paradise Free Trial
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
FUJIFILM USB Driver
GdiplusUpgrade
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.2
HP Photo and Imaging 2.0 - Photosmart Printer Series
HP Photosmart Essential 2.01
HP PSC & OfficeJet 4.2
HP Software Update
HP Update
InfraRecorder
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 11
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (3.0.5)
Musicmatch® Jukebox
Netscape Browser (remove only)
NetWaiting
Norton PC Checkup
Notifier
OfotoXMI
OpenOffice.org 2.3
OTtBP
OTtBPSDK
overland
Perfect Scrapbook Maker
Pinnacle Hollywood FX 5
Pinnacle PCI Performance Enhancer
QuickTime
ReaConverter Pro 3.4
RealPlayer
Revo Uninstaller 1.75
Search Settings 1.2
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SFR
SHASTA
SKIN0001
SKINXSDK
Smart PDF Creator 4.2.3.162
SmartDraw 7 Trial Edition
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
staticcr
Studio 9
Studio Content DVD
The Sims Livin' Large
TwistedBrush
Ulead PhotoImpact 12
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
USB Driver Vers. 3.2
VPRINTOL
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 3
WIRELESS
Yahoo! Address AutoComplete
Yahoo! Messenger

 

[pskelley]

Thanks for returning your information and the feedback. As you can see by what combofix removed, she had a badly infected computer, so we want to look hard to make sure it is clean when we finish. Please follow these directions carefully and in the numbered order.

C:\MSIa0b45.tmp <<< there are three of these, if you know what they are remove them from the CFScript:
http://www.google.com/search?hl=en&q=MSIa0b45.tmp&btnG=Google+Search&aq=f&oq=


1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

File::
C:\MSIa0b45.tmp
C:\MSIa0b3b.tmp
C:\MSIa0b17.tmp
c:\windows\Tasks\fpkbclmk.job
c:\windows\Tasks\xdlzmcfs.job

Folder::
C:\VundoFix Backups
c:\program files\LimeWire
c:\documents and settings\Chelsey\Application Data\LimeWire

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is this computer running now?

Thanks


This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8.1.2 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
All out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Spybot - Search & Destroy 1.4 <<< uninstall the old version.
Please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html

 

[Cinnalynn]

Once again, thanks for all the help! Here's the logs you requested:

CFScript:​

ComboFix 09-01-07.02 - shawn 2009-01-07 23:55:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.424 [GMT -5:00]
Running from: c:\documents and settings\shawn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\shawn\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\MSIa0b17.tmp
C:\MSIa0b3b.tmp
C:\MSIa0b45.tmp
c:\windows\Tasks\fpkbclmk.job
c:\windows\Tasks\xdlzmcfs.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chelsey\Application Data\LimeWire
c:\documents and settings\Chelsey\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Chelsey\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Chelsey\Application Data\LimeWire\downloads.dat
c:\documents and settings\Chelsey\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Chelsey\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Chelsey\Application Data\LimeWire\filters.props
c:\documents and settings\Chelsey\Application Data\LimeWire\gnutella.net
c:\documents and settings\Chelsey\Application Data\LimeWire\installation.props
c:\documents and settings\Chelsey\Application Data\LimeWire\library.dat
c:\documents and settings\Chelsey\Application Data\LimeWire\limewire.props
c:\documents and settings\Chelsey\Application Data\LimeWire\mojito.props
c:\documents and settings\Chelsey\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Chelsey\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Chelsey\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Chelsey\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\Chelsey\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Chelsey\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Chelsey\Application Data\LimeWire\questions.props
c:\documents and settings\Chelsey\Application Data\LimeWire\responses.cache
c:\documents and settings\Chelsey\Application Data\LimeWire\simpp.xml
c:\documents and settings\Chelsey\Application Data\LimeWire\spam.dat
c:\documents and settings\Chelsey\Application Data\LimeWire\tables.props
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Chelsey\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Chelsey\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Chelsey\Application Data\LimeWire\version.xml
c:\documents and settings\Chelsey\Application Data\LimeWire\versions.props
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\Chelsey\Application Data\LimeWire\xml\schemas\video.xsd
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid1536.log
c:\program files\LimeWire\hs_err_pid1696.log
c:\program files\LimeWire\hs_err_pid2400.log
c:\program files\LimeWire\hs_err_pid2812.log
c:\program files\LimeWire\hs_err_pid292.log
c:\program files\LimeWire\hs_err_pid3460.log
c:\program files\LimeWire\hs_err_pid3572.log
c:\program files\LimeWire\hs_err_pid3648.log
c:\program files\LimeWire\hs_err_pid3712.log
c:\program files\LimeWire\hs_err_pid3748.log
c:\program files\LimeWire\hs_err_pid3796.log
c:\program files\LimeWire\hs_err_pid3932.log
c:\program files\LimeWire\hs_err_pid828.log
C:\VundoFix Backups
c:\windows\Tasks\fpkbclmk.job
c:\windows\Tasks\xdlzmcfs.job

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-06 14:50 . 2009-01-06 14:50 <DIR> d-------- c:\program files\Trend Micro
2008-12-21 18:14 . 2008-12-21 18:17 <DIR> d-------- c:\documents and settings\shawn\Application Data\Fotobook Editor
2008-12-21 18:05 . 2008-12-21 18:05 <DIR> d-------- c:\documents and settings\shawn\Application Data\Zoner
2008-12-21 17:34 . 2008-12-21 18:17 <DIR> d-------- c:\program files\FrameMaster2
2008-12-21 17:04 . 2008-12-21 17:05 <DIR> d-------- c:\documents and settings\shawn\Application Data\Snapfish
2008-12-21 14:23 . 2008-12-21 14:23 <DIR> d-------- C:\MSIa0b45.tmp
2008-12-21 14:23 . 2008-12-21 14:23 <DIR> d-------- C:\MSIa0b3b.tmp
2008-12-21 14:00 . 2008-12-21 14:00 <DIR> d-------- C:\MSIa0b17.tmp
2008-12-19 20:05 . 2006-10-04 09:06 1,197,294 --------- c:\windows\SYSTEM32\DLLCACHE\sysmain.sdb
2008-12-19 20:05 . 2006-10-04 09:06 764,868 --------- c:\windows\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-12-19 20:05 . 2006-10-04 09:06 217,118 --------- c:\windows\SYSTEM32\DLLCACHE\apphelp.sdb
2008-12-19 20:04 . 2008-12-19 20:04 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-19 19:59 . 2008-12-19 19:59 <DIR> d-------- c:\windows\SYSTEM32\LogFiles
2008-12-19 19:59 . 2008-12-19 20:02 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\UMDF
2008-12-17 17:45 . 2008-08-14 04:58 2,136,064 --a------ c:\windows\SYSTEM32\ntoskrnl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 04:49 --------- d-----w c:\documents and settings\shawn\Application Data\OpenOffice.org2
2009-01-07 08:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-03 20:13 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-31 23:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-27 07:31 --------- d-----w c:\documents and settings\shawn\Application Data\MSN6
2008-12-20 19:15 --------- d-----w c:\program files\Norton PC Checkup
2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-07 21:51 --------- d-----w c:\documents and settings\shawn\Application Data\OOZE ONE MANAGER
2008-12-07 21:28 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-07 21:28 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-07 21:28 10,520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
2008-12-07 21:28 --------- d-----w c:\program files\AVG
2008-12-07 21:28 --------- d-----w c:\documents and settings\shawn\Application Data\AVGTOOLBAR
2008-12-07 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-04 17:10 --------- d-----w c:\documents and settings\shawn\Application Data\U3
2008-11-28 02:59 --------- d--h--w c:\documents and settings\shawn\Application Data\Move Networks
2008-11-28 02:52 --------- d-----w c:\program files\Java
2008-11-28 02:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 02:51 --------- d-----w c:\program files\ArcSoft
2008-11-28 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-28 02:42 --------- d-----w c:\program files\iWin.com
2008-11-28 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2008-11-28 02:41 --------- d-----w c:\program files\DivX
2008-11-25 01:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 06:10 --------- d-----w c:\documents and settings\shawn\Application Data\Gamelab
2008-11-23 06:06 --------- d-----w c:\documents and settings\shawn\Application Data\Valusoft
2008-11-23 06:06 --------- d-----w c:\documents and settings\All Users\Application Data\Valusoft
2008-11-23 05:54 --------- d-----w c:\documents and settings\shawn\Application Data\EleFun Games
2008-11-23 04:54 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2008-11-22 23:02 --------- d-----w c:\documents and settings\shawn\Application Data\Home Sweet Home 2
2008-11-22 22:49 --------- d-----w c:\documents and settings\shawn\Application Data\MysteryStudio
2008-11-20 04:14 --------- d-----w c:\documents and settings\Chelsey's Ipod\Application Data\U3
2008-11-20 03:33 --------- d-----w c:\program files\A-PDF Image to PDF
2008-11-20 03:02 --------- d-----w c:\program files\Smart PDF Creator
2008-11-15 02:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-13 19:34 --------- d-----w c:\program files\EscapefromParadise_at
2008-10-23 13:01 283,648 ------w c:\windows\SYSTEM32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-10-15 07:06 633,632 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-10-15 03:34 270,336 ----a-w c:\windows\SYSTEM32\TubeFinder.exe
2008-10-11 17:24 499,712 ----a-w c:\windows\SYSTEM32\msvcp71.dll
2008-10-11 14:30 561,152 ----a-w c:\windows\SYSTEM32\xvidcore.dll
2008-10-11 14:30 159,744 ----a-w c:\windows\SYSTEM32\xvidvfw.dll
2008-08-10 03:55 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-08-10 03:54 88 --sh--r c:\documents and settings\All Users\Application Data\BB3CBF7BC7.sys
2006-01-20 04:40 66 ----a-w c:\documents and settings\shawn\Application Data\SQSDRVRM.SYS
2007-11-09 23:00 88 --sh--r c:\windows\SYSTEM32\BB3CBF7BC7.sys
2004-10-26 00:43 56 --sh--r c:\windows\SYSTEM32\C77BBF3CBB.sys
2007-11-09 23:00 5,018 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_15.21.39.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-02 15:04:22 90,250 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
+ 2009-01-06 20:17:38 90,250 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
- 2008-11-02 15:04:22 475,112 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
+ 2009-01-06 20:17:38 475,112 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-11 185872]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-07 1261336]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\shawn\My Documents\My Pictures\2005-06 (Jun)\chelsey_at_beach.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^shawn^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\shawn\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-04 02:56 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 13:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-06-21 05:40 172032 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 12:03 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
--a------ 2008-06-12 15:57 991584 c:\program files\Search Settings\SearchSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-11 12:24 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-12-07 97928]
R1 MgTaki;MgTaki;c:\windows\SYSTEM32\DRIVERS\mgtaki.sys [2006-12-05 31719]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-07 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-07 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-12-07 76040]
R4 dvdmmg;dvdmmg;c:\windows\SYSTEM32\DRIVERS\dvdmmg.sys [2007-09-06 5504]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\SYSTEM32\DRIVERS\cccp106.sys [2004-09-24 227200]
S4 Ca533av;USB PC Camera; [x]
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{550b18be-9225-11dd-ac52-000cf19c9c44}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\8C14AEEE98074742.job
- c:\docume~1\shawn\applic~1\oozeon~1\Remote Load Clock.exe []

2009-01-08 c:\windows\Tasks\Norton PC Checkup WeekDay Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-20 14:15]

2009-01-04 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-20 14:15]

2004-03-13 c:\windows\Tasks\WebReg 20040313094532.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2004-05-28 21:47]

2004-04-02 c:\windows\Tasks\WebReg 20040402170659.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2004-05-28 21:47]

2005-05-02 c:\windows\Tasks\WebReg 20050501234559.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2004-05-28 21:47]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
TCP: {7D323756-C583-4998-8535-84A6329AC1AE} = 192.168.0.1

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Jojo's%20Fashion%20Show/Images/stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Burger%20Shop/Images/armhelper.ocx
FF - ProfilePath - c:\documents and settings\shawn\Application Data\Mozilla\Firefox\Profiles\nhadfhk9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\shawn\Application Data\Mozilla\Firefox\Profiles\nhadfhk9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\shawn\Application Data\Mozilla\plugins\NpIpx32.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 00:03:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1008245898-3590503604-2473583679-1007\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,5a,4e,2e,ef,6c,\
85,66,86,e2,63,26,f1,3f,c8,ff,68,27,b1,a1,f2,85,17,78,1b,e2,63,26,f1,3f,c8,\
ff,68,a7,63,34,1f,2b,c2,fa,34,2e,e8,e1,00,eb,16,2b,de,ba,d2,63,f6,6c,c7,f0,\
33,5a,ab,f4,09

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,d6,84,b3,bf,30,\
aa,8a,a2,6a,9c,d6,61,af,45,84,18,4b,40,7b,43,c0,98,fa,5c,6a,9c,d6,61,af,45,\
84,18,c1,ce,4b,b2,26,72,16,a2,71,3b,04,66,8b,46,0d,96,da,0f,29,96,f6,9e,b0,\
9a,a6,de,ed,59

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,70,57,2f,65,d2,\
93,8d,19,ff,7c,85,e0,43,d4,0e,fe,f3,e2,4a,ae,e2,ef,9d,44,ff,7c,85,e0,43,d4,\
0e,fe,c5,59,00,09,99,26,83,61,25,da,ec,7e,55,20,c9,26,c4,d3,53,e6,e1,88,a3,\
8d,5a,6d,da,d8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,44,eb,cd,52,e1,\
3e,03,71,86,8c,21,01,be,91,eb,e7,e8,19,ea,55,bf,e8,d9,08,86,8c,21,01,be,91,\
eb,e7,b0,cf,6d,a5,b5,9b,73,78,3e,1e,9e,e0,57,5a,93,61,3b,5a,ba,01,13,3f,de,\
fc,c6,d7,04,df

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,41,8f,ac,64,66,\
60,46,3f,f5,1d,4d,73,a8,13,5c,05,8f,6c,28,d7,6e,b0,44,33,f5,1d,4d,73,a8,13,\
5c,05,da,b3,1e,5f,f7,ad,ee,3b,cd,44,cd,b9,a6,33,6c,cd,29,0a,ae,21,85,08,5b,\
8c,10,b4,c5,b5

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,e5,3a,f3,48,f1,\
e7,7b,76,df,20,58,62,78,6b,cf,c8,ce,a7,34,2f,f7,be,34,5d,df,20,58,62,78,6b,\
cf,c8,40,5a,44,df,11,88,48,75,b0,18,ed,a7,3f,8d,37,a4,e2,85,61,35,3d,21,dc,\
ce,d0,d3,d5,c7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,a8,7c,36,fb,49,\
fb,4c,86,fb,a7,78,e6,12,2f,9a,ea,f5,95,a6,61,93,ac,a8,3a,fb,a7,78,e6,12,2f,\
9a,ea,d9,d0,3f,26,63,c1,2a,76,fb,a7,78,e6,12,2f,9a,ea,80,44,65,88,ed,e3,18,\
7b,cd,99,8a,a7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,26,8b,6f,e3,f5,\
82,81,a9,01,3a,48,fc,e8,04,4a,f1,6b,65,8d,b4,3f,21,9b,3c,01,3a,48,fc,e8,04,\
4a,f1,04,97,b2,1c,92,90,ee,00,01,3a,48,fc,e8,04,4a,f1,4b,7d,7f,ff,c6,9c,f4,\
ec,3d,8f,31,e4

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,fc,4d,ee,19,0e,\
74,81,90,f6,0f,4e,58,98,5b,89,c9,c5,cb,96,00,cc,0e,35,9f,f6,0f,4e,58,98,5b,\
89,c9,6e,a7,13,f0,d2,36,67,28,51,fa,6e,91,28,9e,14,cc,86,3a,d4,e9,d0,21,b5,\
a9,17,df,39,a6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,51,5a,b4,4c,7f,\
39,ae,3b,3d,ce,ea,26,2d,45,aa,78,fe,4e,f2,3a,ef,d8,1e,00,3d,ce,ea,26,2d,45,\
aa,78,c5,90,87,88,e6,c7,12,17,b1,cd,45,5a,a8,c4,f8,b9,2a,3d,36,1b,d3,2f,ab,\
cc,fa,fa,5e,14

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,48,fb,75,ca,34,\
7b,ab,b3,2a,b7,cc,b5,b9,7f,41,e7,c0,dd,8c,d1,bc,f6,b6,88,2a,b7,cc,b5,b9,7f,\
41,e7,29,b5,93,88,65,fb,20,5d,2a,b7,cc,b5,b9,7f,41,e7,bc,18,c8,52,97,5d,0f,\
d2,f7,fc,96,7f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,39,2c,ce,49,a2,\
ab,8a,16,6c,43,2d,1e,aa,22,2f,9c,2e,17,fb,de,5a,ae,2e,81,6c,43,2d,1e,aa,22,\
2f,9c,d6,c1,37,86,1c,96,31,88,fa,ea,66,7f,d4,3b,6b,70,31,85,c2,cb,3a,6f,1e,\
94,91,ea,b9,50

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\J*NULL*o*NULL*j*NULL*o*NULL*'*NULL*s*NULL* *NULL*F*NULL*a*NULL*s*NULL*h*NULL*i*NULL*o*NULL*n*NULL* *NULL*S*NULL*h*NULL*o*NULL*w*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,30,66,02,00,00,00,00,f4,d3,04,\
10,03,d8,c8,01,07,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,69,00,57,00,69,00,6e,\
00,20,00,47,00,61,00,6d,00,65,00,73,00,5c,00,69,00,57,00,69,00,6e,00,47,00,\
61,00,6d,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000
.
Completion time: 2009-01-08 0:07:37
ComboFix-quarantined-files.txt 2009-01-08 05:06:20
ComboFix2.txt 2009-01-06 20:23:29

Pre-Run: 17,628,647,424 bytes free
Post-Run: 17,728,098,304 bytes free

451 --- E O F --- 2009-01-07 08:01:56

MBAM Log:​

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2

1/8/2009 12:23:06 PM
mbam-log-2009-01-08 (12-23-06).txt

Scan type: Full Scan (B:\|C:\|D:\|E:\|)
Objects scanned: 211207
Time elapsed: 3 hour(s), 31 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\acm.acmfactory (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\acm.acmfactory.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\insertsmile.cosmileinsertor (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\insertsmile.cosmileinsertor.1 (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\outlooksmile.outlooksmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wordsmile.wordsmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43382522-a846-46f4-ac57-1f71ae6e1086} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e36e190-77f9-48a1-b0f3-5698425cee9b} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72a836d1-bc00-43c0-a941-17960e4fb842} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5d7ff769-928f-45c4-a02a-b6f9d7135493} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6e36e190-77f9-48a1-b0f3-5698425cee9b} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c7bfa3ee-1a56-4501-9b9c-3a99ad8823ef} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dd166bb8-2dfe-4e44-9404-3facad9e1c7a} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0e010ce6-25f7-436f-baee-5a646b31b9bf} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{df901432-1b9f-4f5b-9e56-301c553f9095} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7961702e-4d6c-4578-982e-ddb0b0e58028} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\InsertSmile.DLL (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\OutlookSmile.OutlookSmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\WordSmile.WordSmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DBReg (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ACM.DLL (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.Search) -> Bad: (http://www.iesearch.com/) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WinUpdater (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Netscape\Netscape Browser\plugins\NPMyGlSh.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cauarnoy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fcncwbdh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tfeeyltn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xjnaduak.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\omfcuf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\owtooa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qoMdEVNh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP788\A0138112.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP792\A0139597.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0140959.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0140954.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0140955.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0140960.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0140961.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0140963.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0140966.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\videocore.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\WinUpdater\update.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\osrouter.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.

HJT Log:​

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:32 PM, on 1/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jojo's%20Fashion%20Show/Images/stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Burger%20Shop/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D323756-C583-4998-8535-84A6329AC1AE}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\shawn\My Documents\My Pictures\2005-06 (Jun)\chelsey_at_beach.jpg

--
End of file - 5301 bytes

The computer is definitely running a lot better. There's no more annoying popups. In the past, they'd popup every 5 seconds or so. I've yet to see one, and for that alone you're an absolute angel! lol Thanks so much.

 

[pskelley]

Sounds good and looks good from here also. Use HJT to remove this dead item:
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)

Let's see if we can wrap up like this:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update AVG8 and scan the system, to be sure it is running right and scanning clean.
Here is good information for AVG:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/


If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil:angel:
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

 

[Cinnalynn]

All clear

Everything looks great! I ran the scans, and they've all come back clean. Thanks a bunch :angel: Phil!!! haha :

 

[pskelley]

Thanks for taking the time to let me know. Safe surfing and Happy New Year