Virtumonde

A

Atmashine

New member
Spybot found Virtumonde. I tried removing it with Spybot a few times and came here. Here's the HJT log. It's my bedtime now so I'll be back in 8 or so hours. :-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:39 AM, on 11/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {460aa492-2468-4d2d-a0a5-b2624aeba749} - C:\Windows\system32\kiporiju.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pujojimefo] Rundll32.exe "C:\Windows\system32\susujewe.dll",s
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [pujojimefo] Rundll32.exe "C:\Windows\system32\susujewe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\Windows\system32\kitiyija.dll c:\windows\system32\juropawo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\juropawo.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5538 bytes
 
Hi Atmashine

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Post:

- mbam log
- rsit logs (taken after mbam run)
 
Sorry, I played with this using Combofix while waiting. I dunno if the thing's removed completely or not so here's the new HJT log along with the things you requested. Malwarebytes didn't find anything to remove using full scan so I was never prompted to check anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:03 PM, on 11/29/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\Windows\system32\kitiyija.dll c:\windows\system32\juropawo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4443 bytes




--------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 6.0.6001 Service Pack 1

11/29/2008 11:56:23 PM
mbam-log-2008-11-29 (23-56-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160692
Time elapsed: 1 hour(s), 56 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
ComboFix is a tool which you should never use unsupervised. It is a very powerful tool.

But as you have done it anyway, please post next contents of c:\ComboFix.txt here.
 
ComboFix 08-11-27.01 - MySweetBunny 2008-11-27 6:58:37.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1375 [GMT -6:00]
Running from: c:\users\MySweetBunny\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mayabazo.dll
c:\windows\system32\olikubek.ini
c:\windows\system32\ozabayam.ini
c:\windows\system32\ridadane.dll
.
---- Previous Run -------
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\kebukilo.dll
c:\windows\system32\kitiyija.dll
c:\windows\system32\mayabazo.dll
c:\windows\system32\olikubek.ini
c:\windows\system32\ozabayam.ini
c:\windows\system32\ridadane.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-26 08:26 . 2008-11-26 08:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 23:57 . 2008-11-26 13:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-17 14:05 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-17 14:05 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-17 14:05 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-17 14:05 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-17 14:05 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-17 14:05 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-17 14:05 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-17 14:05 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-17 14:05 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-13 19:52 . 2008-11-13 19:52 192 --a------ c:\windows\cdplayer.ini
2008-11-13 07:28 . 2008-11-27 07:03 32,536 --a------ c:\users\All Users\nvModes.dat
2008-11-13 07:28 . 2008-11-27 07:03 32,536 --a------ c:\programdata\nvModes.dat
2008-11-11 15:24 . 2008-09-09 21:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-11 15:24 . 2008-09-04 23:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-11 15:24 . 2008-08-26 19:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-06 19:51 . 2008-11-06 19:51 <DIR> d-------- C:\PFiles
2008-11-03 01:02 . 2008-11-27 06:44 <DIR> d-------- c:\windows\System32\drivers\Avg
2008-11-03 01:02 . 2008-11-03 01:02 97,928 --a------ c:\windows\System32\drivers\avgldx86.sys
2008-11-03 01:02 . 2008-11-03 01:02 69,128 --a------ c:\windows\System32\drivers\avgwfpx.sys
2008-11-03 01:02 . 2008-11-03 01:02 10,520 --a------ c:\windows\System32\avgrsstx.dll
2008-11-03 01:01 . 2008-11-03 01:01 <DIR> d-------- c:\program files\AVG
2008-10-28 16:36 . 2008-10-28 16:36 823,296 --a------ c:\windows\System32\divx_xx0c.dll
2008-10-28 16:36 . 2008-10-28 16:36 823,296 --a------ c:\windows\System32\divx_xx07.dll
2008-10-28 16:35 . 2008-10-28 16:35 815,104 --a------ c:\windows\System32\divx_xx0a.dll
2008-10-28 16:35 . 2008-10-28 16:35 802,816 --a------ c:\windows\System32\divx_xx11.dll
2008-10-28 16:35 . 2008-10-28 16:35 729,088 --a------ c:\windows\System32\divxdec.ax
2008-10-28 16:35 . 2008-10-28 16:35 684,032 --a------ c:\windows\System32\DivX.dll
2008-10-28 15:30 . 2008-08-11 21:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 15:30 . 2008-09-17 22:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 15:30 . 2008-09-17 22:56 125,952 --a------ c:\windows\System32\wersvc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 02:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-19 14:16 --------- d-----w c:\users\MySweetBunny\AppData\Roaming\SPORE
2008-11-16 12:34 --------- d-----w c:\programdata\NVIDIA
2008-11-15 14:43 --------- d-----w c:\program files\DivX
2008-11-15 12:30 --------- d-----w c:\program files\Rhapsody
2008-11-13 13:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 13:30 --------- d-----w c:\program files\AGEIA Technologies
2008-11-11 23:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 07:01 --------- d-----w c:\programdata\avg8
2008-11-03 03:31 --------- d-----w c:\program files\CONEXANT
2008-11-03 03:28 --------- d-----w c:\programdata\Ulead Systems
2008-11-03 03:28 --------- d-----w c:\program files\InterVideo
2008-11-03 03:28 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-11-03 03:19 --------- d-----w c:\program files\Toshiba
2008-11-03 03:15 --------- d-----w c:\program files\Windows Live
2008-11-03 00:49 --------- d-----w c:\program files\Microsoft Works
2008-11-03 00:42 --------- d-----w c:\program files\Common Files\logishrd
2008-11-03 00:41 --------- d-----w c:\programdata\Logishrd
2008-11-03 00:34 --------- d-----w c:\programdata\Microsoft Help
2008-10-22 18:42 7,610,144 ----a-w c:\windows\system32\drivers\nvlddmkm.sys
2008-10-22 18:42 4,160 ----a-w c:\windows\system32\drivers\nvBridge.kmd
2008-10-21 13:01 --------- d-----w c:\programdata\SecTaskMan
2008-10-20 22:00 57,688 ----a-w c:\users\MySweetBunny\AppData\Roaming\nvModes.dat
2008-10-20 12:43 --------- d-----w c:\program files\Microsoft Games
2008-10-19 21:49 --------- d-----w c:\program files\Eusing Free Registry Cleaner
2008-10-19 21:20 --------- d-----w c:\users\MySweetBunny\AppData\Roaming\Uniblue
2008-10-16 08:10 --------- d-----w c:\program files\Windows Mail
2008-10-13 16:35 --------- d-----w c:\program files\CycloDSEvolution Tools
2008-10-12 11:26 --------- d-----w c:\program files\RogueSynapse
2008-10-10 01:38 --------- d-----w c:\program files\Yahoo!
2008-06-18 19:15 174 --sha-w c:\program files\desktop.ini
2007-05-12 23:20 262,144 ----a-w c:\programdata\ntuser.dat
2008-08-26 20:49 2,713 --sh--w c:\windows\System32\barijatu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 18:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 18:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-22 13675040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-22 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 17:50 90112 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll c:\windows\system32\kitiyija.dll c:\windows\system32\juropawo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ymetray.lnk]
backup=c:\windows\pss\ymetray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2006-12-15 17:59 530552 c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
--a------ 2006-12-07 18:49 55416 c:\program files\Toshiba\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
--a------ 2006-07-20 14:45 151552 c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2006-12-11 19:45 448632 c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
--a------ 2006-12-20 01:16 411768 c:\program files\Toshiba\Power Saver\TPwrMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 01:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-522854213-1344089828-1915909241-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{24433AC1-4A33-4813-95CD-5E93ACE2457C}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{4C376BCA-BDCF-46A9-AA0E-D5FEAFFC6A3B}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{06B53753-3FEE-44AD-A1DF-9A77DCDC9FBE}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{834D088C-B39E-4191-8CEB-5B9AEEDD716A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9B3BAC9F-1CEA-43C4-97A8-9EE86F9F5D7F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{215A4379-103F-4718-A62C-CC24EC976F94}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{1094E7CB-7547-44F0-8321-2AB93BBAF4E0}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{EDDE538C-CB7E-46BD-B2A2-3F104892FDD0}"= UDP:c:\program files\Warcraft III\Warcraft III.exe:Warcraft III
"{BBB64935-7997-4206-941A-3FB63D6C2F0D}"= TCP:c:\program files\Warcraft III\Warcraft III.exe:Warcraft III
"{51497833-D061-4DE5-8F5D-CFE72B7481B8}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{41E3449C-5415-4CDB-8CF8-46E72AF4CD73}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{385D3138-883D-46A1-870D-062310DE70E4}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BD5FD5A2-CE32-4F5B-A820-0CA9A2428E74}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{D45DCB1E-954A-4E05-91E1-54466C89027D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CB203017-6857-4924-A4CF-1936BBEDA04F}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{1044FF6C-0566-4364-9EAD-B4FE5AD1C0B1}"= UDP:c:\users\Public\World of Warcraft\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe:Blizzard Downloader
"{8AFDEBFF-72F0-449E-AC43-9F71357B5CA4}"= TCP:c:\users\Public\World of Warcraft\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe:Blizzard Downloader
"TCP Query User{09A750E8-0CD5-4BCD-B46F-AB70D3243FF9}c:\\program files\\microsoft games\\dungeon siege\\dungeonsiege.exe"= UDP:c:\program files\microsoft games\dungeon siege\dungeonsiege.exe:Dungeon Siege Game Executable
"UDP Query User{22C50DBA-6BCD-4B2F-9BD3-A1D138C25B84}c:\\program files\\microsoft games\\dungeon siege\\dungeonsiege.exe"= TCP:c:\program files\microsoft games\dungeon siege\dungeonsiege.exe:Dungeon Siege Game Executable
"{D66E58B8-D0AB-4A81-836F-371959BA4E36}"= UDP:c:\users\Public\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{2F0D43A7-2BCE-4BB0-9548-A9A89D75628B}"= TCP:c:\users\Public\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{BA80ABFE-C0C5-4998-AE8D-5B37198C6616}"= UDP:3724:Blizzard Downloader: 3724
"{5C847171-3D8E-498C-8C30-6F9466B35312}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{915DA043-1705-4430-8206-DAF14654519A}"= UDP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{023115A5-35E0-4717-BF80-8295669B4BB6}"= TCP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{CEDB1986-6431-4F1E-BCDE-6B4B689E75C2}"= UDP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{EC48C02A-0DFA-4340-9EDA-992B5F1415F7}"= TCP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{FEEA2694-E6A8-4982-ACF8-FF5DB3919AB9}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{2A8E0A2D-3112-4090-95E6-3AF552173AE8}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{DB2C6395-07E1-414E-BA32-B05996098362}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{BC051E9C-7A05-435E-ACE4-3E0E771A3235}"= UDP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{909E6A5E-2403-4963-9E2D-DB1E2FBD87ED}"= TCP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{10DF9718-7B7B-4AB0-9D18-18C34F5C73B0}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{0C6A328F-13CF-42FF-81A5-04F20F00EF64}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{C70EB7AE-2E3F-4B54-A95F-BB9B4CA23C84}c:\\users\\mysweetbunny\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= UDP:c:\users\mysweetbunny\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"UDP Query User{C3CFD078-12AC-4403-95BC-256F04F294C4}c:\\users\\mysweetbunny\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= TCP:c:\users\mysweetbunny\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"{DB332564-5F30-4D05-BA24-D8BA2B8FCA9A}"= UDP:c:\windows\explorer.exe:Explorer
"{1D025813-91A0-4D30-AE13-617F26972088}"= TCP:c:\windows\explorer.exe:Explorer
"{79750498-5B32-4498-AA3A-4C682458E5AA}"= UDP:c:\windows\explorer.exe:Explorer
"{964FD7A6-D8D8-41D1-AF89-9906319B235A}"= TCP:c:\windows\explorer.exe:Explorer
"{87E3F3FF-BA4E-496C-9259-84E20CCAE35F}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{FE32EF8A-6BAF-427D-927A-590B4EB5EDA1}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{9BF926F0-91FE-453A-A4DF-C112D31A8291}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{8E58035B-4F38-4156-8755-2FECBA39C564}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"{41CFC8FF-9348-4673-8A33-BE8F453C2AF3}"= UDP:c:\windows\System32\wininit.exe:wininit
"{2ED6E9CE-7FED-4E19-81EA-1C78EF86A230}"= TCP:c:\windows\System32\wininit.exe:wininit
"{9A009F5E-75D5-46C8-BCCA-B9DB5B757401}"= UDP:c:\windows\System32\wininit.exe:wininit
"{C98C61CE-1B81-4DFA-8D97-94FA9A99B58E}"= TCP:c:\windows\System32\wininit.exe:wininit
"{50386947-031D-4406-9DEB-E056E944A695}"= UDP:c:\program files\AVG\AVG8\avgrsx.exe:avgrsx
"{E07582D9-9E52-4F58-B48B-778E684E7281}"= TCP:c:\program files\AVG\AVG8\avgrsx.exe:avgrsx

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-03 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-03 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-03 231704]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-11-03 69128]
R3 BoiHwsetup;Access 32bits INT15 routine;c:\windows\system32\drivers\BoiHwSetup.sys [2006-10-12 7680]
R3 qkbfiltr;Keyboard Filter Driver;c:\windows\system32\DRIVERS\qkbfiltr.sys [2006-11-20 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\User_Feed_Synchronization-{CBFF64F7-E5DB-4768-BE6B-B5411FE092C3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 01:33]
.
- - - - ORPHANS REMOVED - - - -

BHO-{460aa492-2468-4d2d-a0a5-b2624aeba749} - c:\windows\system32\kiporiju.dll
HKLM-Run-pujojimefo - c:\windows\system32\susujewe.dll
MSConfigStartUp-nwiz - nwiz.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 07:03:05
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(3540)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\rundll32.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\windows\System32\drivers\XAudio.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2008-11-27 7:08:46 - machine was rebooted [MySweetBunny]
ComboFix-quarantined-files.txt 2008-11-27 13:08:15

Pre-Run: 86,980,845,568 bytes free
Post-Run: 86,949,945,344 bytes free

268 --- E O F --- 2008-11-12 09:02:47
 
rsit info:

info.txt logfile of random's system information tool 1.04 2008-11-30 10:55:03

======Uninstall list======

-->MsiExec /X{AC54E544-3E42-443C-A91D-A00A6974C592}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CD/DVD Drive Acoustic Silencer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe" -l0x9
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -IBD1VHDza.INF
Diablo II-->C:\Windows\DIIUnin.exe C:\Windows\DIIUnin.dat
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DOOM 3: Resurrection of Evil-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{04347DFD-87B6-4E30-B14D-5DF2888AD8F5} /l1033
Doom 3-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{584267B8-0BB0-4D18-9FFA-726576619E9A} /l1033 /x
Doomsday Engine 1.9.0-beta5-->"C:\Program Files\Doomsday\unins000.exe"
Dungeon Siege-->"C:\Program Files\Microsoft Games\Dungeon Siege\UNINSTAL.EXE" /runtemp /addremove
EA Download Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
HijackThis 2.0.2-->"C:\Users\MySweetBunny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EPTUHTEP\HijackThis.exe" /uninstall
IncGamers Client-->C:\Program Files\IncGamers Client\uninst.exe
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
NVIDIA PhysX v8.10.13-->MsiExec.exe /X{AC54E544-3E42-443C-A91D-A00A6974C592}
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
Rhapsody Player Engine-->MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody-->C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SimCity 4-->C:\Program Files\Maxis\SimCity 4\EAUninstall.exe
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_5045&SUBSYS_1179FF31\HXFSETUP.EXE -U -IBD1Vmz.inf
SPORE™-->"C:\Program Files\InstallShield Installation Information\{9DF0196F-B6B8-4C3A-8790-DE42AA530101}\setup.exe" -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy 1.5.2.20-->"C:\Windows\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Star Wars®: Knights of the Old Republic (TM)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}\setup.exe" -l0x9
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers.-->C:\Program Files\InstallShield Installation Information\{F7B05784-334C-4F76-8BAB-30ABEB7FD534}\setup.exe -runfromtemp -l0x0409
The Last Starfighter-->C:\Program Files\InstallShield Installation Information\{C892C691-99DC-4B49-BEAA-65B96BB3460D}\setup.exe -runfromtemp -l0x0409
The Sims 2 Family Fun Stuff-->C:\Program Files\EA GAMES\The Sims 2 Family Fun Stuff\EAUninstall.exe
The Sims 2 Nightlife-->C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business-->C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 Pets-->C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
The Sims 2 University-->C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims 2-->C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims™ Castaway Stories-->C:\Program Files\Electronic Arts\The Sims Castaway Stories\EAUninstall.exe
TOSHIBA Assist-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe" -l0x9
TOSHIBA ConfigFree-->C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe -runfromtemp -l0x0009uninstall -removeonly
TOSHIBA Disc Creator-->MsiExec.exe /I{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA Extended Tiles for Windows Mobility Center-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{617C36FD-0CBE-4600-84B2-441CEB12FADF} /l1033
TOSHIBA Game Console-->"C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\Uninstall.exe"
TOSHIBA Media Center Game Console-->"C:\Program Files\TOSHIBA Games\TOSHIBA Media Center Game Console\Uninstall.exe"
Toshiba Registration-->MsiExec.exe /I{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}
TOSHIBA SD Memory Utilities-->MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
TOSHIBA Software Upgrades-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe" -l0x9 -removeonly
TOSHIBA Supervisor Password-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{BE998F99-4CEB-4E64-B717-493A2E9797F4} /l1033
TOSHIBA Value Added Package-->C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x0409
TOSHIBA Volume Indicator-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{98708E86-46E1-479D-B897-9802E591E762} /l1033
Ultimate Extras sounds from Microsoft® Tinker™-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound2.inf,Uninstall
Unofficial Oblivion Patch v2.2.0-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Oblivion Patch\unins000.exe"
Unreal-->C:\Windows\IsUninst.exe -fC:\Unreal\System\Uninst.isu
VDMSound-->C:\Program Files\VDMSound\uninst.exe
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Warcraft III-->C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Wheel of Time-->C:\WheelOfTime\System\Setup.exe uninstall "Wheel of Time"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Sound Schemes-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinDVD for TOSHIBA-->C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\setup.exe -runfromtemp -l0x0409
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: AVG Anti-Virus Free
AS: AVG Anti-Virus Free (disabled)
AS: Windows Defender

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\VDMSound
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"VDMSPath"=C:\Program Files\VDMSound

-----------------EOF-----------------
--------------------------------------------------------------------------


rsit log:

Logfile of random's system information tool 1.04 (written by random/random)
Run by MySweetBunny at 2008-11-30 10:54:47
Microsoft® Windows Vista™ Ultimate Service Pack 1
System drive C: has 77 GB (41%) free of 189 GB
Total RAM: 2045 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:01 AM, on 11/30/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\MySweetBunny\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\MySweetBunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {460aa492-2468-4d2d-a0a5-b2624aeba749} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\Windows\system32\kitiyija.dll c:\windows\system32\juropawo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4886 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{CBFF64F7-E5DB-4768-BE6B-B5411FE092C3}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-11-03 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{460aa492-2468-4d2d-a0a5-b2624aeba749}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-01-04 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-03 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-03 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-10-22 13675040]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-10-22 92704]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-10-22 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe [2008-07-21 2752512]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [2006-12-15 530552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
C:\Program Files\TOSHIBA\TBS\HSON.exe [2006-12-07 55416]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
C:\TOSHIBA\IVP\ISM\pinger.exe [2006-07-20 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\Toshiba\SmoothView\SmoothView.exe [2006-12-11 448632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [2006-12-20 411768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ymetray.lnk]
[]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll C:\Windows\system32\kitiyija.dll c:\windows\system32\juropawo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\Windows\system32\psqlpwd.dll [2006-12-03 90112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\TOSHIBA\ivp\NetInt\Netint.exe"="C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\TOSHIBA\Ivp\ISM\pinger.exe"="C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-11-30 10:54:47 ----D---- C:\rsit
2008-11-29 21:56:56 ----D---- C:\Users\MySweetBunny\AppData\Roaming\Malwarebytes
2008-11-29 21:56:52 ----D---- C:\ProgramData\Malwarebytes
2008-11-29 21:56:52 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-27 07:10:19 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2008-11-27 07:10:16 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2008-11-27 07:10:16 ----A---- C:\Windows\system32\WindowsCodecs.dll
2008-11-27 07:10:16 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2008-11-27 07:10:12 ----A---- C:\Windows\system32\connect.dll
2008-11-27 07:08:50 ----D---- C:\Windows\temp
2008-11-27 07:08:47 ----A---- C:\ComboFix.txt
2008-11-27 06:20:13 ----A---- C:\Windows\zip.exe
2008-11-27 06:20:13 ----A---- C:\Windows\VFIND.exe
2008-11-27 06:20:13 ----A---- C:\Windows\SWXCACLS.exe
2008-11-27 06:20:13 ----A---- C:\Windows\SWSC.exe
2008-11-27 06:20:13 ----A---- C:\Windows\SWREG.exe
2008-11-27 06:20:13 ----A---- C:\Windows\sed.exe
2008-11-27 06:20:13 ----A---- C:\Windows\NIRCMD.exe
2008-11-27 06:20:13 ----A---- C:\Windows\grep.exe
2008-11-27 06:20:13 ----A---- C:\Windows\fdsv.exe
2008-11-27 06:20:08 ----D---- C:\Windows\ERDNT
2008-11-27 06:20:08 ----D---- C:\Qoobox
2008-11-26 08:26:19 ----D---- C:\Program Files\Trend Micro
2008-11-24 23:57:15 ----HD---- C:\$AVG8.VAULT$
2008-11-17 14:05:58 ----A---- C:\Windows\system32\wups2.dll
2008-11-17 14:05:58 ----A---- C:\Windows\system32\wucltux.dll
2008-11-17 14:05:58 ----A---- C:\Windows\system32\wuaueng.dll
2008-11-17 14:05:58 ----A---- C:\Windows\system32\wuauclt.exe
2008-11-17 14:05:37 ----A---- C:\Windows\system32\wups.dll
2008-11-17 14:05:37 ----A---- C:\Windows\system32\wudriver.dll
2008-11-17 14:05:37 ----A---- C:\Windows\system32\wuapi.dll
2008-11-17 14:05:27 ----A---- C:\Windows\system32\wuwebv.dll
2008-11-17 14:05:27 ----A---- C:\Windows\system32\wuapp.exe
2008-11-13 19:52:57 ----A---- C:\Windows\cdplayer.ini
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvwssr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvwss.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvwgf2um.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvvitvsr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvvitvs.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvsvsr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvsvs.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvsvcr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvsvc.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvoglv32.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvmoblsr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvmobls.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvmctray.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvmccssr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvmccss.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvmccsrs.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvmccs.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvgamesr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvgames.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvdispsr.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvdisps.dll
2008-11-13 07:12:49 ----A---- C:\Windows\system32\nvd3dum.dll
2008-11-13 07:12:48 ----A---- C:\Windows\system32\nvvsvc.exe
2008-11-13 07:12:48 ----A---- C:\Windows\system32\nvudisp.exe
2008-11-13 07:12:48 ----A---- C:\Windows\system32\nvcuda.dll
2008-11-13 07:12:48 ----A---- C:\Windows\system32\nvcpl.dll
2008-11-13 07:12:48 ----A---- C:\Windows\system32\nvcod135.dll
2008-11-13 07:12:48 ----A---- C:\Windows\system32\nvcod.dll
2008-11-13 07:12:48 ----A---- C:\Windows\system32\nvapi.dll
2008-11-13 07:12:48 ----A---- C:\Windows\system32\dpinst.exe
2008-11-11 15:24:14 ----A---- C:\Windows\system32\msxml3.dll
2008-11-11 15:24:12 ----A---- C:\Windows\system32\msxml6.dll
2008-11-06 19:51:55 ----D---- C:\PFiles
2008-11-03 01:02:18 ----A---- C:\Windows\system32\avgrsstx.dll
2008-11-03 01:01:44 ----D---- C:\Program Files\AVG

======List of files/folders modified in the last 1 months======

2008-11-30 10:55:00 ----D---- C:\Windows\Prefetch
2008-11-30 09:58:40 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2008-11-30 09:04:01 ----D---- C:\Unreal
2008-11-30 06:37:32 ----D---- C:\Windows\inf
2008-11-30 06:37:32 ----AD---- C:\Windows\System32
2008-11-30 06:37:32 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-11-29 21:56:55 ----D---- C:\Windows\system32\drivers
2008-11-29 21:56:52 ----RD---- C:\Program Files
2008-11-29 21:56:52 ----HD---- C:\ProgramData
2008-11-29 21:06:30 ----SHD---- C:\System Volume Information
2008-11-28 03:00:51 ----D---- C:\Windows\winsxs
2008-11-27 08:39:40 ----D---- C:\Windows\Tasks
2008-11-27 08:39:40 ----D---- C:\Windows\system32\spool
2008-11-27 08:39:37 ----D---- C:\Windows\system32\wbem
2008-11-27 08:39:37 ----D---- C:\Windows\registration
2008-11-27 07:10:07 ----D---- C:\Windows\system32\catroot
2008-11-27 07:09:40 ----D---- C:\Windows\system32\catroot2
2008-11-27 07:08:52 ----D---- C:\Windows\system32\en-US
2008-11-27 07:08:50 ----D---- C:\Windows
2008-11-27 07:03:11 ----A---- C:\Windows\system.ini
2008-11-27 07:01:33 ----D---- C:\Windows\system32\config
2008-11-27 06:59:51 ----D---- C:\Windows\AppPatch
2008-11-27 06:59:51 ----D---- C:\Program Files\Common Files
2008-11-27 06:41:06 ----D---- C:\Windows\Minidump
2008-11-25 23:42:45 ----A---- C:\Windows\wininit.ini
2008-11-22 21:05:05 ----D---- C:\Windows\rescache
2008-11-22 20:37:20 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-22 08:03:04 ----D---- C:\CycloDS
2008-11-19 08:16:03 ----D---- C:\Users\MySweetBunny\AppData\Roaming\SPORE
2008-11-16 06:34:08 ----D---- C:\ProgramData\NVIDIA
2008-11-16 04:21:56 ----SD---- C:\Windows\Downloaded Program Files
2008-11-16 04:16:46 ----SHD---- C:\Windows\Installer
2008-11-15 08:43:46 ----D---- C:\Program Files\DivX
2008-11-15 06:30:04 ----D---- C:\Program Files\Rhapsody
2008-11-13 07:30:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-13 07:30:07 ----D---- C:\Program Files\AGEIA Technologies
2008-11-13 07:12:20 ----D---- C:\NVIDIA
2008-11-11 17:00:48 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-03 01:01:44 ----D---- C:\ProgramData\avg8
2008-11-03 00:59:40 ----D---- C:\Program Files\Common Files\microsoft shared
2008-11-03 00:59:07 ----SD---- C:\Users\MySweetBunny\AppData\Roaming\Microsoft
2008-11-02 21:31:22 ----D---- C:\Program Files\CONEXANT
2008-11-02 21:28:51 ----D---- C:\Program Files\InterVideo
2008-11-02 21:28:48 ----D---- C:\ProgramData\Ulead Systems
2008-11-02 21:28:48 ----D---- C:\Program Files\Common Files\Ulead Systems
2008-11-02 21:19:13 ----D---- C:\Program Files\Toshiba
2008-11-02 21:15:21 ----D---- C:\Program Files\Windows Live
2008-11-02 18:49:07 ----D---- C:\Program Files\Microsoft Works
2008-11-02 18:46:03 ----D---- C:\Windows\system32\appmgmt
2008-11-02 18:42:12 ----D---- C:\Program Files\Common Files\logishrd
2008-11-02 18:41:58 ----D---- C:\ProgramData\Logishrd
2008-11-02 18:34:55 ----D---- C:\ProgramData\Microsoft Help
2008-11-02 18:34:54 ----RSD---- C:\Windows\assembly
2008-11-02 18:34:00 ----RSD---- C:\Windows\Fonts
2008-11-02 18:32:47 ----D---- C:\Windows\ShellNew

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2008-11-03 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2008-11-03 26824]
R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-18 350720]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 AvgWfpX;AVG Free8 Firewall Driver x86; C:\Windows\System32\Drivers\avgwfpx.sys [2008-11-03 69128]
R3 BoiHwsetup;Access 32bits INT15 routine; C:\Windows\system32\drivers\BoiHwSetup.sys [2006-10-12 7680]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-18 14208]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-18 220672]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-09 987648]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-10-09 206336]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-10-22 7610144]
R3 qkbfiltr;Keyboard Filter Driver; C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-11-20 33792]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-18 88576]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2006-10-27 179896]
R3 TcUsb;TC USB Kernel Driver; C:\Windows\System32\Drivers\tcusb.sys [2006-12-03 39056]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 16128]
R3 tifm21;tifm21; C:\Windows\system32\drivers\tifm21.sys [2006-07-06 168448]
R3 tosrfec;Bluetooth ACPI; C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 9216]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-09 657920]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-18 11264]
S1 Tosrfcom;Tosrfcom; C:\Windows\system32\drivers\Tosrfcom.sys []
S2 MCSTRM;MCSTRM; C:\Windows\system32\drivers\MCSTRM.sys []
S3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 188416]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 jfdcd;jfdcd; \??\C:\Users\MYSWEE~1\AppData\Local\Temp\jfdcd.sys []
S3 LVUSBSta;Logitech USB Monitor Filter; C:\Windows\system32\DRIVERS\LVUSBSta.sys [2007-10-12 41752]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 1781760]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\Windows\system32\DRIVERS\LV302V32.SYS [2007-10-12 1279000]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-18 73088]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S4 KR10I;KR10I; C:\Windows\system32\drivers\kr10i.sys [2006-02-14 216320]
S4 KR10N;KR10N; C:\Windows\system32\drivers\kr10n.sys [2005-09-27 207104]
S4 KR3NPXP;KR3NPXP; C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 479488]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-16 611664]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-11-03 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-03 231704]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2006-11-14 40960]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-10-22 207392]
R2 Swupdtmr;Swupdtmr; c:\Toshiba\IVP\swupdate\swupdtmr.exe [2006-07-20 40960]
R2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\Windows\system32\TODDSrv.exe [2006-05-25 114688]
R2 TosCoSrv;TOSHIBA Power Saver; C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe [2006-12-20 428152]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-19 917504]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------
--------------------------------------------------------------------------


Malwarebytes' log:

Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 6.0.6001 Service Pack 1

11/30/2008 1:38:25 PM
mbam-log-2008-11-30 (13-38-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160475
Time elapsed: 2 hour(s), 35 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{460aa492-2468-4d2d-a0a5-b2624aeba749} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{460aa492-2468-4d2d-a0a5-b2624aeba749} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
 
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 1, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 01, 2008 16:09:05
Records in database: 1429402
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 142094
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:43:53

No malware has been detected. The scan area is clean.

The selected area was scanned.
--------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:31 PM, on 12/1/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\Windows\system32\kitiyija.dll c:\windows\system32\juropawo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4769 bytes
 
Then let's clean a bit leftovers.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Open notepad and copy/paste the text in the codebox below into it:

Code: 
Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
After Combofix tried to reboot the computer for the first time, I got the blue screen that said failed to boot properly. I then selected Boot Normally (default), Combofix restarted itself and a message box saying Windows has recovered from an unexpected shutdown:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.256.1
Locale ID: 1033

Additional information about the problem:
BCCode: 93
BCP1: 0000052C
BCP2: 00000000
BCP3: 00000000
BCP4: 00000000
OS Version: 6_0_6001
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\Mini120308-01.dmp
C:\Users\MySweetBunny\AppData\Local\Temp\WER-53539-0.sysdata.xml
C:\Users\MySweetBunny\AppData\Local\Temp\WER45C6.tmp.version.txt

--------------------------------------------------------------------------
It still managed to make a log:


ComboFix 08-12-01.03 - MySweetBunny 2008-12-03 6:28:38.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1409 [GMT -6:00]
Running from: c:\users\MySweetBunny\Desktop\ComboFix.exe
Command switches used :: c:\users\MySweetBunny\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-11-30 10:54 . 2008-11-30 10:55 <DIR> d-------- C:\rsit
2008-11-29 21:56 . 2008-11-29 21:56 <DIR> d-------- c:\users\MySweetBunny\AppData\Roaming\Malwarebytes
2008-11-29 21:56 . 2008-11-29 21:56 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-29 21:56 . 2008-11-29 21:56 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-29 21:56 . 2008-11-29 21:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 21:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-29 21:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-27 07:10 . 2008-10-20 23:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-27 07:10 . 2008-08-27 21:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-27 07:10 . 2008-08-27 21:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-27 07:10 . 2008-08-27 21:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-27 07:10 . 2008-10-21 21:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-26 08:26 . 2008-11-26 08:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 23:57 . 2008-11-27 13:03 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-17 14:05 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-17 14:05 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-17 14:05 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-17 14:05 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-17 14:05 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-17 14:05 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-17 14:05 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-17 14:05 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-17 14:05 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-13 19:52 . 2008-11-13 19:52 192 --a------ c:\windows\cdplayer.ini
2008-11-13 07:28 . 2008-12-03 06:34 32,536 --a------ c:\users\All Users\nvModes.dat
2008-11-13 07:28 . 2008-12-03 06:34 32,536 --a------ c:\programdata\nvModes.dat
2008-11-11 15:24 . 2008-09-09 21:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-11 15:24 . 2008-09-04 23:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-11 15:24 . 2008-08-26 19:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-06 19:51 . 2008-11-06 19:51 <DIR> d-------- C:\PFiles
2008-11-03 01:02 . 2008-12-03 06:23 <DIR> d-------- c:\windows\System32\drivers\Avg
2008-11-03 01:02 . 2008-11-03 01:02 97,928 --a------ c:\windows\System32\drivers\avgldx86.sys
2008-11-03 01:02 . 2008-11-03 01:02 69,128 --a------ c:\windows\System32\drivers\avgwfpx.sys
2008-11-03 01:02 . 2008-11-03 01:02 10,520 --a------ c:\windows\System32\avgrsstx.dll
2008-11-03 01:01 . 2008-11-03 01:01 <DIR> d-------- c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 15:58 --------- d-----w c:\program files\Eusing Free Registry Cleaner
2008-11-23 02:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-19 14:16 --------- d-----w c:\users\MySweetBunny\AppData\Roaming\SPORE
2008-11-16 12:34 --------- d-----w c:\programdata\NVIDIA
2008-11-15 14:43 --------- d-----w c:\program files\DivX
2008-11-15 12:30 --------- d-----w c:\program files\Rhapsody
2008-11-13 13:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 13:30 --------- d-----w c:\program files\AGEIA Technologies
2008-11-11 23:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 07:01 --------- d-----w c:\programdata\avg8
2008-11-03 03:31 --------- d-----w c:\program files\CONEXANT
2008-11-03 03:28 --------- d-----w c:\programdata\Ulead Systems
2008-11-03 03:28 --------- d-----w c:\program files\InterVideo
2008-11-03 03:28 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-11-03 03:19 --------- d-----w c:\program files\Toshiba
2008-11-03 03:15 --------- d-----w c:\program files\Windows Live
2008-11-03 00:49 --------- d-----w c:\program files\Microsoft Works
2008-11-03 00:42 --------- d-----w c:\program files\Common Files\logishrd
2008-11-03 00:41 --------- d-----w c:\programdata\Logishrd
2008-11-03 00:34 --------- d-----w c:\programdata\Microsoft Help
2008-10-22 18:42 7,610,144 ----a-w c:\windows\system32\drivers\nvlddmkm.sys
2008-10-22 18:42 4,160 ----a-w c:\windows\system32\drivers\nvBridge.kmd
2008-10-21 13:01 --------- d-----w c:\programdata\SecTaskMan
2008-10-20 22:00 57,688 ----a-w c:\users\MySweetBunny\AppData\Roaming\nvModes.dat
2008-10-20 12:43 --------- d-----w c:\program files\Microsoft Games
2008-10-19 21:20 --------- d-----w c:\users\MySweetBunny\AppData\Roaming\Uniblue
2008-10-16 08:10 --------- d-----w c:\program files\Windows Mail
2008-10-13 16:35 --------- d-----w c:\program files\CycloDSEvolution Tools
2008-10-12 11:26 --------- d-----w c:\program files\RogueSynapse
2008-10-10 01:38 --------- d-----w c:\program files\Yahoo!
2008-06-18 19:15 174 --sha-w c:\program files\desktop.ini
2007-05-12 23:20 262,144 ----a-w c:\programdata\ntuser.dat
2008-08-26 20:49 2,713 --sh--w c:\windows\System32\barijatu.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-27_ 7.07.01.49 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-27 13:03:03 1,572,864 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-12-03 12:34:28 1,572,864 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-11-27 13:03:03 1,572,864 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-12-03 12:34:28 1,572,864 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-11-27 11:50:24 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-28 09:00:24 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-27 11:50:24 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-28 09:00:24 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-27 11:50:24 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-28 09:00:24 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-27 12:58:05 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-03 12:28:19 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\System32\Macromed\Flash\FlashUtil10a.exe
- 2008-09-07 10:05:05 74,649 ----a-w c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
+ 2008-12-02 13:04:43 88,590 ----a-w c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
- 2008-11-27 12:47:56 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-03 12:26:51 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-27 12:47:57 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-03 12:26:51 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2008-11-24 17:41:24 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2008-11-28 09:06:38 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
- 2008-11-27 12:43:37 15,178 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-522854213-1344089828-1915909241-1000_UserData.bin
+ 2008-12-03 12:23:39 15,698 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-522854213-1344089828-1915909241-1000_UserData.bin
- 2008-11-27 12:43:37 66,738 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-03 12:23:39 66,856 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-26 14:20:45 68,140 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-03 12:23:37 68,488 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-11-17 20:06:06 159,320,031 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-11-27 13:10:02 161,979,562 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-10-21 05:16:20 1,645,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-getconnectedwizards_31bf3856ad364e35_6.0.6000.16766_none_62ed735b99bf2599\connect.dll
+ 2008-10-21 05:06:53 1,645,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-getconnectedwizards_31bf3856ad364e35_6.0.6000.20940_none_6386b028b2d1f29e\connect.dll
+ 2008-10-21 05:25:17 1,645,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-getconnectedwizards_31bf3856ad364e35_6.0.6001.18159_none_64e182cb96dae69e\connect.dll
+ 2008-10-21 05:21:42 1,645,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-getconnectedwizards_31bf3856ad364e35_6.0.6001.22291_none_6537dd96b0202b74\connect.dll
+ 2008-08-28 03:24:50 425,472 ----a-w c:\windows\winsxs\x86_microsoft-windows-photometadatahandler_31bf3856ad364e35_6.0.6000.16740_none_c85de4f0e87e1001\PhotoMetadataHandler.dll
+ 2008-08-28 03:21:23 425,472 ----a-w c:\windows\winsxs\x86_microsoft-windows-photometadatahandler_31bf3856ad364e35_6.0.6000.20905_none_c917c4c40176bbe1\PhotoMetadataHandler.dll
+ 2008-08-28 03:40:09 425,472 ----a-w c:\windows\winsxs\x86_microsoft-windows-photometadatahandler_31bf3856ad364e35_6.0.6001.18131_none_ca4ff3cce59b9e58\PhotoMetadataHandler.dll
+ 2008-08-28 03:37:44 425,472 ----a-w c:\windows\winsxs\x86_microsoft-windows-photometadatahandler_31bf3856ad364e35_6.0.6001.22253_none_cac5f153fec7a8b2\PhotoMetadataHandler.dll
+ 2008-08-28 03:24:51 712,192 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6000.16740_none_94703b0aa417f9f5\WindowsCodecs.dll
+ 2008-08-28 03:22:04 712,704 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6000.20905_none_952a1addbd10a5d5\WindowsCodecs.dll
+ 2008-08-28 03:40:11 712,704 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6001.18131_none_966249e6a135884c\WindowsCodecs.dll
+ 2008-08-28 03:37:46 712,704 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6001.22253_none_96d8476dba6192a6\WindowsCodecs.dll
+ 2008-08-28 03:24:51 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodecext_31bf3856ad364e35_6.0.6000.16740_none_91804ffcbb9f565c\WindowsCodecsExt.dll
+ 2008-08-28 03:22:04 347,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodecext_31bf3856ad364e35_6.0.6000.20905_none_923a2fcfd498023c\WindowsCodecsExt.dll
+ 2008-08-28 03:40:11 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodecext_31bf3856ad364e35_6.0.6001.18131_none_93725ed8b8bce4b3\WindowsCodecsExt.dll
+ 2008-08-28 03:37:46 347,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowscodecext_31bf3856ad364e35_6.0.6001.22253_none_93e85c5fd1e8ef0d\WindowsCodecsExt.dll
+ 2008-10-22 03:43:51 241,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PortableDeviceApi.dll
+ 2008-10-22 03:43:51 95,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PortableDeviceClassExtension.dll
+ 2008-10-22 03:43:51 160,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PortableDeviceTypes.dll
+ 2008-10-22 03:39:42 241,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PortableDeviceApi.dll
+ 2008-10-22 03:39:42 95,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PortableDeviceClassExtension.dll
+ 2008-10-22 03:39:42 160,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PortableDeviceTypes.dll
+ 2008-10-22 03:57:30 241,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PortableDeviceApi.dll
+ 2008-01-19 07:36:07 94,720 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PortableDeviceClassExtension.dll
+ 2008-01-19 07:36:07 160,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PortableDeviceTypes.dll
+ 2008-10-22 03:34:55 241,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PortableDeviceApi.dll
+ 2008-10-22 03:34:55 94,720 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PortableDeviceClassExtension.dll
+ 2008-10-22 03:34:55 160,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PortableDeviceTypes.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 18:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 18:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-22 13675040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-22 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 17:50 90112 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ymetray.lnk]
backup=c:\windows\pss\ymetray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2006-12-15 17:59 530552 c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
--a------ 2006-12-07 18:49 55416 c:\program files\Toshiba\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
--a------ 2006-07-20 14:45 151552 c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2006-12-11 19:45 448632 c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
--a------ 2006-12-20 01:16 411768 c:\program files\Toshiba\Power Saver\TPwrMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 01:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-522854213-1344089828-1915909241-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{24433AC1-4A33-4813-95CD-5E93ACE2457C}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{4C376BCA-BDCF-46A9-AA0E-D5FEAFFC6A3B}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{06B53753-3FEE-44AD-A1DF-9A77DCDC9FBE}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{834D088C-B39E-4191-8CEB-5B9AEEDD716A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9B3BAC9F-1CEA-43C4-97A8-9EE86F9F5D7F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{215A4379-103F-4718-A62C-CC24EC976F94}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{1094E7CB-7547-44F0-8321-2AB93BBAF4E0}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{EDDE538C-CB7E-46BD-B2A2-3F104892FDD0}"= UDP:c:\program files\Warcraft III\Warcraft III.exe:Warcraft III
"{BBB64935-7997-4206-941A-3FB63D6C2F0D}"= TCP:c:\program files\Warcraft III\Warcraft III.exe:Warcraft III
"{51497833-D061-4DE5-8F5D-CFE72B7481B8}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{41E3449C-5415-4CDB-8CF8-46E72AF4CD73}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{385D3138-883D-46A1-870D-062310DE70E4}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BD5FD5A2-CE32-4F5B-A820-0CA9A2428E74}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{D45DCB1E-954A-4E05-91E1-54466C89027D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CB203017-6857-4924-A4CF-1936BBEDA04F}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{1044FF6C-0566-4364-9EAD-B4FE5AD1C0B1}"= UDP:c:\users\Public\World of Warcraft\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe:Blizzard Downloader
"{8AFDEBFF-72F0-449E-AC43-9F71357B5CA4}"= TCP:c:\users\Public\World of Warcraft\WoW-2.2.0.7272-to-2.2.2.7318-enUS-downloader.exe:Blizzard Downloader
"TCP Query User{09A750E8-0CD5-4BCD-B46F-AB70D3243FF9}c:\\program files\\microsoft games\\dungeon siege\\dungeonsiege.exe"= UDP:c:\program files\microsoft games\dungeon siege\dungeonsiege.exe:Dungeon Siege Game Executable
"UDP Query User{22C50DBA-6BCD-4B2F-9BD3-A1D138C25B84}c:\\program files\\microsoft games\\dungeon siege\\dungeonsiege.exe"= TCP:c:\program files\microsoft games\dungeon siege\dungeonsiege.exe:Dungeon Siege Game Executable
"{D66E58B8-D0AB-4A81-836F-371959BA4E36}"= UDP:c:\users\Public\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{2F0D43A7-2BCE-4BB0-9548-A9A89D75628B}"= TCP:c:\users\Public\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{BA80ABFE-C0C5-4998-AE8D-5B37198C6616}"= UDP:3724:Blizzard Downloader: 3724
"{5C847171-3D8E-498C-8C30-6F9466B35312}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{915DA043-1705-4430-8206-DAF14654519A}"= UDP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{023115A5-35E0-4717-BF80-8295669B4BB6}"= TCP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{CEDB1986-6431-4F1E-BCDE-6B4B689E75C2}"= UDP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{EC48C02A-0DFA-4340-9EDA-992B5F1415F7}"= TCP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{FEEA2694-E6A8-4982-ACF8-FF5DB3919AB9}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{2A8E0A2D-3112-4090-95E6-3AF552173AE8}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{DB2C6395-07E1-414E-BA32-B05996098362}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{BC051E9C-7A05-435E-ACE4-3E0E771A3235}"= UDP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{909E6A5E-2403-4963-9E2D-DB1E2FBD87ED}"= TCP:c:\program files\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{10DF9718-7B7B-4AB0-9D18-18C34F5C73B0}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{0C6A328F-13CF-42FF-81A5-04F20F00EF64}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{C70EB7AE-2E3F-4B54-A95F-BB9B4CA23C84}c:\\users\\mysweetbunny\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= UDP:c:\users\mysweetbunny\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"UDP Query User{C3CFD078-12AC-4403-95BC-256F04F294C4}c:\\users\\mysweetbunny\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= TCP:c:\users\mysweetbunny\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"{DB332564-5F30-4D05-BA24-D8BA2B8FCA9A}"= UDP:c:\windows\explorer.exe:Explorer
"{1D025813-91A0-4D30-AE13-617F26972088}"= TCP:c:\windows\explorer.exe:Explorer
"{79750498-5B32-4498-AA3A-4C682458E5AA}"= UDP:c:\windows\explorer.exe:Explorer
"{964FD7A6-D8D8-41D1-AF89-9906319B235A}"= TCP:c:\windows\explorer.exe:Explorer
"{87E3F3FF-BA4E-496C-9259-84E20CCAE35F}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{FE32EF8A-6BAF-427D-927A-590B4EB5EDA1}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{9BF926F0-91FE-453A-A4DF-C112D31A8291}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{8E58035B-4F38-4156-8755-2FECBA39C564}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"{41CFC8FF-9348-4673-8A33-BE8F453C2AF3}"= UDP:c:\windows\System32\wininit.exe:wininit
"{2ED6E9CE-7FED-4E19-81EA-1C78EF86A230}"= TCP:c:\windows\System32\wininit.exe:wininit
"{9A009F5E-75D5-46C8-BCCA-B9DB5B757401}"= UDP:c:\windows\System32\wininit.exe:wininit
"{C98C61CE-1B81-4DFA-8D97-94FA9A99B58E}"= TCP:c:\windows\System32\wininit.exe:wininit
"{50386947-031D-4406-9DEB-E056E944A695}"= UDP:c:\program files\AVG\AVG8\avgrsx.exe:avgrsx
"{E07582D9-9E52-4F58-B48B-778E684E7281}"= TCP:c:\program files\AVG\AVG8\avgrsx.exe:avgrsx
"{56F653CE-E784-4A2B-8D2D-3A60B5A4B52E}"= UDP:c:\unreal\System\Unreal.exe:Unreal
"{ECF67E69-67EB-479C-A397-A55E75190A4D}"= TCP:c:\unreal\System\Unreal.exe:Unreal

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-03 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-03 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-03 231704]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-11-03 69128]
R3 BoiHwsetup;Access 32bits INT15 routine;c:\windows\system32\drivers\BoiHwSetup.sys [2006-10-12 7680]
R3 qkbfiltr;Keyboard Filter Driver;c:\windows\system32\DRIVERS\qkbfiltr.sys [2006-11-20 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\User_Feed_Synchronization-{CBFF64F7-E5DB-4768-BE6B-B5411FE092C3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 01:33]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 06:34:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(3960)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\WerFault.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\rundll32.exe
c:\combofix\hidec.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\windows\System32\drivers\XAudio.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2008-12-03 6:41:10 - machine was rebooted [MySweetBunny]
ComboFix-quarantined-files.txt 2008-12-03 12:39:52
ComboFix2.txt 2008-11-27 13:08:47

Pre-Run: 81,527,230,464 bytes free
Post-Run: 81,426,911,232 bytes free

314 --- E O F --- 2008-12-01 17:18:30


--------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:59 AM, on 12/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\WerFault.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4453 bytes
 
That happens sometimes.

Looks like it worked like it should anyway.

Still some issues or are you ready for final instructions?
 
No issues, AVG ran an autoscan and moved the quarantined files Combofix found in the Qoobox directory to it's own quarantine folder.
 
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 11.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

You can delete rsit and c:\rsit folder

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top