win32.TDSS.rtk - Here is my log

[Demetrius]

My computer is infected with win32.TDSS.rtk and neither Spybot nor every other program I tried is able to get rid of it. Find my log below - thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:38 AM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Real\RealOne Player\realplay.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Ed\Desktop\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c9b75b699d4ed6) (gupdate1c9b75b699d4ed6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6887 bytes

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Please read and follow the directions, appears you have not done so. Once that is done, if you still need help, start like this.

1) Disable TeaTimer as instructed:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

3) Properly place HijackThis as directed:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

 

[Demetrius]

I did everything you asked. The uninstall list and log file are below, thanks!

AbiWord 2.6.8
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.1
Adobe Stock Photos 1.0
Advertisement Service
Apple Software Update
Canon MX850 series
CD-LabelPrint
Choice Guard
Corel WinDVD 9
DivX Codec
DivX Web Player
Dragon NaturallySpeaking 9
ERUNT 1.1j
Google Chrome
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
ImgBurn
Impression DVD SE
LeechFTP
Microsoft Office XP Small Business
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
NVIDIA Display Driver
PestPatrol Upgrade
Picture Resize Genius 2.9.5
QuickTime
Rainlendar2 (remove only)
RealOne Player
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Segoe UI
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster 4.2
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6e
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
WinZip 12.0
ZoneAlarm Security Suite

=========================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:01 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Ed\protect.dll,_IWMPEvents@16
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FEBDBE.exe] C:\WINDOWS\TEMP\_A00FEBDBE.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Ed\Desktop\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Ed\Desktop\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Ed\Desktop\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: __c005D10 - C:\WINDOWS\system32\__c005D10.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c9b75b699d4ed6) (gupdate1c9b75b699d4ed6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8535 bytes

 

[pskelley]

I did everything you asked.

C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
Instruction #3 was not followed, please follow those instructions to located HijackThis as directed before you proceed.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Spybot - Search & Destroy 1.4 <<< uninstall that out of date program.

Spybot - Search & Destroy <<< Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html

 

[Demetrius]

I am confused about this Desktop issue - isn't HijackThis in a desktop folder? What must I do different?

Thanks for your patience

 

[pskelley]

If you will read the directions and follow them. You have installed HJT on the Desktop and backups that may be needed in an emergency unsafe on the Desktop instead of the correct, safe location:

By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

Thanks

 

[Demetrius]

ComboFix 09-05-06.02 - Admin 05/06/2009 14:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.492 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\protect.dll
c:\documents and settings\Admin\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Admin\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\windows\system32\__c005D10.dat
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthcnelqywrxggryaypwyoydjbpxeddcbiw.sys
c:\windows\system32\ovfsthgommeqirqpsoyjvnlucyslmpljvqwjrm.dll
c:\windows\system32\ovfsthnffwylruofquqlykeomotaawuuanjrra.dat
c:\windows\system32\ovfsthrreimcbcloxpkeehjiebxjaomprrvqnm.dat
c:\windows\system32\ovfsthsrvmxehjdshmwsqvsjfevveyoojnqxof.dll
c:\windows\system32\ovfsthswmdrudtstuckamlbkvytimnujeopspj.dll
c:\windows\system32\ovfsthswmdrudtstuckamlbkvytimnujeopspj.dll_old
c:\windows\system32\wamejulu.exe
c:\windows\system32\winglsetup.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 21:52 . 2009-05-06 22:08 1536032 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-06 21:43 . 2009-05-06 21:43 -------- d-----w c:\program files\Trend Micro
2009-05-06 21:27 . 2009-05-06 21:42 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-06 05:31 . 2009-05-06 05:31 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-06 03:16 . 2009-05-06 03:16 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-05 23:12 . 2009-05-05 23:12 -------- d-sh--w c:\documents and settings\Admin\PrivacIE
2009-05-05 23:07 . 2009-05-05 23:07 -------- d-sh--w c:\documents and settings\Admin\IETldCache
2009-05-05 23:06 . 2009-05-05 23:06 -------- d-----w c:\windows\ie8updates
2009-05-05 23:06 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-05 23:04 . 2009-05-05 23:05 -------- dc-h--w c:\windows\ie8
2009-05-05 22:41 . 2009-05-05 22:41 -------- d-----w c:\documents and settings\Admin\AbiSuite
2009-05-05 22:40 . 2009-05-05 22:40 -------- d-----w c:\program files\AbiSuite2
2009-05-04 07:06 . 2009-05-04 07:06 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-05-04 07:06 . 2009-05-05 04:25 -------- d-----w c:\documents and settings\Admin\Application Data\Azureus
2009-05-04 07:04 . 2009-05-04 07:04 -------- d-----w c:\program files\Common Files\i4j_jres
2009-05-04 07:04 . 2009-05-04 07:04 -------- d-----w c:\program files\Vuze
2009-05-03 21:24 . 2009-05-03 21:24 -------- d-----w C:\My Music
2009-05-02 06:59 . 2009-05-02 07:11 -------- d-----w c:\documents and settings\Admin\Application Data\MailFrontier
2009-05-02 01:38 . 2009-05-02 01:41 -------- d-----w c:\program files\Picture Resize Genius
2009-05-01 23:51 . 2009-05-01 23:51 -------- d-----w C:\favorites temp repository
2009-05-01 23:08 . 2009-05-02 21:22 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 23:08 . 2009-05-02 05:06 -------- d-----w c:\program files\SpywareBlaster
2009-05-01 05:47 . 2009-05-01 05:47 33174920 ----a-w c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:11 . 2009-04-01 02:20 72584 ----a-w c:\windows\zllsputility.exe
2009-05-01 05:10 . 2009-05-01 05:10 37014408 ----a-w c:\program files\zaAvSetup_80_298_035_en.exe
2009-04-25 08:05 . 1998-10-29 23:45 306688 ----a-w c:\windows\IsUninst.exe
2009-04-25 08:02 . 2002-01-11 02:02 13780 ----a-w c:\windows\system32\drivers\pfc.sys
2009-04-25 08:02 . 2009-04-25 08:02 -------- d-----w c:\program files\Pinnacle
2009-04-21 11:54 . 2009-04-21 11:54 -------- d-----r C:\New Briefcase
2009-04-20 06:16 . 2009-05-06 22:07 -------- d-----w c:\program files\PestPatrol
2009-04-20 06:11 . 2009-04-01 02:20 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-18 05:14 . 2009-05-03 01:35 -------- d-----w c:\documents and settings\Admin\Application Data\Move Networks
2009-04-16 11:11 . 2009-04-16 11:11 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\PCHealth
2009-04-16 10:34 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 10:34 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 10:34 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 10:34 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 10:34 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 10:34 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 10:34 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 10:34 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 10:34 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 10:33 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 10:33 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 21:00 . 2009-04-07 21:00 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-07 08:51 . 2009-04-07 08:51 -------- d-----w c:\documents and settings\Admin\Application Data\DivX
2009-04-07 08:32 . 2009-04-07 08:32 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-07 08:32 . 2009-04-25 05:11 -------- d-----w c:\program files\DivX
2009-04-07 08:32 . 2009-04-07 08:53 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Google
2009-04-07 08:32 . 2009-04-07 08:33 -------- d-----w c:\program files\Google
2009-04-07 08:32 . 2009-04-07 08:32 -------- d-----w c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 22:05 . 2009-05-06 21:52 19820 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-06 20:30 . 2009-03-23 11:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-05 23:41 . 2009-03-28 06:22 1555 ----a-w c:\documents and settings\Admin\Application Data\SAS7_000.DAT
2009-05-02 19:43 . 2009-05-02 19:46 2021888 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-05-02 19:43 . 2009-05-02 19:46 1204736 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-05-02 07:08 . 2009-03-23 07:27 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-25 08:01 . 2009-03-24 00:02 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-15 05:39 . 2009-03-29 13:11 62856 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 22:33 . 2009-03-24 00:17 2828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-14 22:28 . 2009-03-24 00:17 88 --sh--r c:\documents and settings\All Users\Application Data\0AD8011988.sys
2009-04-05 05:26 . 2009-04-05 05:26 -------- d-----w c:\program files\VideoLAN
2009-04-04 23:43 . 2009-03-23 08:16 62856 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 01:31 . 2009-03-25 08:58 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 01:30 . 2009-04-04 01:30 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-02 00:39 . 2009-04-02 00:39 51893 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_01_16_31_21_small.dmp.zip
2009-04-02 00:39 . 2009-04-02 00:39 51164 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_01_16_31_22_small.dmp.zip
2009-04-02 00:39 . 2009-04-02 00:39 51471 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_01_16_31_19_small.dmp.zip
2009-04-01 08:17 . 2009-04-01 08:17 -------- d-----w c:\program files\Microsoft
2009-04-01 08:17 . 2009-04-01 08:16 -------- d-----w c:\program files\Windows Live
2009-04-01 08:16 . 2009-04-01 08:16 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-01 08:13 . 2009-04-01 08:13 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-31 06:57 . 2009-03-23 09:43 96 ----a-w c:\windows\system32\pdfl.dat
2009-03-31 00:51 . 2009-03-31 00:50 29257735 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_30_15_21_27_full.dmp.zip
2009-03-31 00:50 . 2009-03-31 00:50 173509 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_30_15_21_25_small.dmp.zip
2009-03-30 03:39 . 2009-03-30 03:37 29307505 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_29_06_00_57_full.dmp.zip
2009-03-30 03:37 . 2009-03-30 03:37 167861 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_29_06_00_55_small.dmp.zip
2009-03-29 13:02 . 2009-03-25 03:42 -------- d-----w c:\program files\QuickTime
2009-03-28 05:59 . 2009-03-28 05:59 -------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-03-28 05:59 . 2009-03-28 05:59 -------- d-----w c:\program files\Common Files\Nuance
2009-03-28 05:59 . 2009-03-23 23:51 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-28 05:58 . 2009-03-28 05:58 -------- d-----w c:\program files\Nuance
2009-03-28 03:03 . 2009-03-28 03:03 -------- d-----w c:\program files\Apple Software Update
2009-03-28 01:54 . 2009-03-28 01:53 -------- d-----w c:\program files\ImgBurn
2009-03-26 21:55 . 2009-03-26 21:54 25887309 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_26_01_48_58_full.dmp.zip
2009-03-26 21:54 . 2009-03-26 21:54 150676 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_26_01_48_56_small.dmp.zip
2009-03-25 09:51 . 2009-03-25 09:51 -------- d-----w c:\program files\CD-LabelPrint
2009-03-25 09:01 . 2009-03-25 09:01 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-24 05:01 . 2009-03-24 05:01 -------- d-----w c:\program files\MSXML 4.0
2009-03-24 00:16 . 2009-03-24 00:16 -------- d-----w c:\program files\InterVideo
2009-03-24 00:16 . 2009-03-24 00:16 -------- d-----w c:\program files\Common Files\InterVideo
2009-03-24 00:16 . 2009-03-24 00:16 -------- d-----w c:\program files\Common Files\Protexis
2009-03-24 00:15 . 2009-03-24 00:15 -------- d-----w c:\program files\Corel
2009-03-23 23:21 . 2009-03-23 23:16 -------- d-----w c:\program files\LeechFTP
2009-03-23 22:16 . 2009-03-23 21:58 -------- d-----w c:\program files\Rainlendar2
2009-03-23 22:05 . 2009-03-23 22:05 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\Common Files\xing shared
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\aod
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\Common Files\Real
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\Real
2009-03-23 21:50 . 2009-03-23 21:50 -------- d--h--w c:\program files\CanonBJ
2009-03-23 20:57 . 2009-03-23 20:57 -------- d-----w c:\program files\SonicWallES
2009-03-23 19:15 . 2009-03-23 19:15 118386 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_23_03_59_44_small.dmp.zip
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-23 09:43 . 2009-03-23 09:43 80 ----a-w c:\windows\system32\ibfl.dat
2009-03-23 09:43 . 2009-03-23 09:43 144 ----a-w c:\windows\system32\lkfl.dat
2009-03-23 09:43 . 2009-03-23 09:43 -------- d-----w c:\program files\CheckPoint
2009-03-23 09:32 . 2009-03-23 07:11 77423 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-03-23 07:26 . 2009-03-23 07:26 -------- d-----w c:\program files\Zone Labs
2009-03-23 07:18 . 2009-03-23 07:18 2232 ----a-w c:\windows\java\Packages\Data\9JTJTZJN.DAT
2009-03-23 07:18 . 2009-03-23 07:18 155995 ----a-w c:\windows\java\Packages\DNXF1ZT7.ZIP
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\0EZJJFJ1.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\3P7BB9ZL.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\U422HNBT.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\O60Y6I2I.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\AKJTVR53.DAT
2009-03-23 07:13 . 2009-03-23 07:13 -------- d-----w c:\program files\microsoft frontpage
2009-03-23 07:11 . 2001-08-18 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-23 07:09 . 2009-03-23 07:09 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-16 22:18 . 2009-03-26 02:15 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 22:18 . 2009-03-26 02:15 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 22:18 . 2009-03-26 02:15 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 22:18 . 2009-03-26 02:15 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 23:27 . 2009-03-26 02:15 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 23:27 . 2009-03-26 02:15 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 23:27 . 2009-03-26 02:15 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-08 11:34 . 2001-08-18 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2001-08-18 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2001-08-18 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2001-08-18 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2001-08-18 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2001-08-18 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2001-08-18 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2001-08-18 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2001-08-18 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2001-08-18 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-02 18:26 . 2009-02-02 18:26 48640 --sha-w c:\windows\system32\kogonubo.dll.vir
.

((((((((((((((((((((((((((((( SnapShot_2009-05-02_22.23.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-23 08:05 . 2009-01-08 01:21 26144 c:\windows\system32\spupdsvc.exe
+ 2009-03-23 07:12 . 2009-01-08 01:20 16928 c:\windows\system32\spmsg.dll
+ 2001-08-18 12:00 . 2009-03-08 11:31 46592 c:\windows\system32\pngfilt.dll
+ 2001-08-18 12:00 . 2009-05-06 22:00 40196 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2009-05-02 21:20 40196 c:\windows\system32\perfc009.dat
+ 2009-01-08 01:20 . 2009-01-08 01:20 23552 c:\windows\system32\normaliz.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 24576 c:\windows\system32\nlsdl.dll
+ 2001-08-18 12:00 . 2009-03-08 11:31 66560 c:\windows\system32\mshtmled.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 11:31 . 2009-03-08 11:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2001-08-18 12:00 . 2009-03-08 11:33 25600 c:\windows\system32\jsproxy.dll
+ 2001-08-18 12:00 . 2009-03-08 11:32 94720 c:\windows\system32\inseng.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 36864 c:\windows\system32\ieudinit.exe
+ 2001-08-18 12:00 . 2009-03-08 11:32 55808 c:\windows\system32\iernonce.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 59904 c:\windows\system32\icardie.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-03-08 11:34 . 2009-03-08 11:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2009-03-08 11:24 . 2009-03-08 11:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2009-05-06 19:27 . 2009-05-06 21:43 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
+ 2009-03-23 07:16 . 2009-05-06 21:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-23 07:16 . 2009-05-02 22:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-23 07:16 . 2009-05-02 22:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-23 07:16 . 2009-05-06 21:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-23 07:16 . 2009-05-02 22:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-23 07:16 . 2009-05-06 21:26 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-05 23:05 . 2008-04-14 13:42 37888 c:\windows\ie8\url.dll
+ 2009-05-05 23:05 . 2009-03-08 21:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 39424 c:\windows\ie8\pngfilt.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 96256 c:\windows\ie8\occache.dll
+ 2009-05-05 23:05 . 2008-04-14 05:56 56832 c:\windows\ie8\mshtmler.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 29184 c:\windows\ie8\mshta.exe
+ 2009-05-05 23:05 . 2008-04-14 13:41 22016 c:\windows\ie8\licmgr10.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 15872 c:\windows\ie8\jsproxy.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 96256 c:\windows\ie8\inseng.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 35840 c:\windows\ie8\imgutil.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 93184 c:\windows\ie8\iexplore.exe
+ 2009-05-05 23:05 . 2008-04-14 13:41 62976 c:\windows\ie8\iesetup.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 48640 c:\windows\ie8\iernonce.dll
+ 2009-05-05 23:05 . 2009-02-20 08:10 81920 c:\windows\ie8\ieencode.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 34304 c:\windows\ie8\ie4uinit.exe
+ 2009-05-05 23:05 . 2008-04-14 13:41 38912 c:\windows\ie8\hmmapi.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 35328 c:\windows\ie8\corpol.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 99840 c:\windows\ie8\advpack.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 61440 c:\windows\ie8\admparse.dll
+ 2009-05-06 07:04 . 2009-05-06 07:04 32768 c:\windows\ERDNT\AutoBackup\5-6-2009\Users\00000002\UsrClass.dat
+ 2009-05-05 23:08 . 2009-05-05 23:08 32768 c:\windows\ERDNT\AutoBackup\5-5-2009\Users\00000002\UsrClass.dat
+ 2009-05-05 18:17 . 2009-05-05 18:17 32768 c:\windows\ERDNT\5-5-2009\Users\00000002\UsrClass.dat
+ 2009-05-06 03:11 . 2009-05-06 03:11 32768 c:\windows\ERDNT\5-5-2009-take2\Users\00000002\UsrClass.dat
+ 2009-05-05 23:06 . 2009-03-08 11:35 2048 c:\windows\ie8updates\KB968220-IE8\iecompat.dll
+ 2009-05-02 06:59 . 2009-05-06 21:51 241448 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-03-23 09:30 . 2008-04-14 13:42 121856 c:\windows\system32\xmllite.dll
+ 2009-03-23 09:30 . 2009-01-08 01:21 121856 c:\windows\system32\xmllite.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2001-08-18 12:00 . 2009-03-08 11:34 236544 c:\windows\system32\webcheck.dll
+ 2001-08-18 12:00 . 2009-03-08 11:34 105984 c:\windows\system32\url.dll
+ 2001-08-18 12:00 . 2009-05-06 22:00 311934 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2009-05-02 21:20 311934 c:\windows\system32\perfh009.dat
+ 2001-08-18 12:00 . 2009-03-08 11:34 109568 c:\windows\system32\occache.dll
+ 2001-08-18 12:00 . 2009-03-08 11:32 611840 c:\windows\system32\mstime.dll
+ 2001-08-18 12:00 . 2009-03-08 11:34 193536 c:\windows\system32\msrating.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 265720 c:\windows\system32\msdbg2.dll
+ 2001-08-18 12:00 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll
+ 2009-03-08 11:22 . 2009-03-08 11:22 164352 c:\windows\system32\ieui.dll
+ 2001-08-18 12:00 . 2009-03-08 11:31 183808 c:\windows\system32\iepeers.dll
+ 2001-08-18 12:00 . 2009-03-08 21:09 391536 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 11:11 . 2009-03-08 11:11 445952 c:\windows\system32\ieapfltr.dll
+ 2001-08-18 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\ieakui.dll
+ 2001-08-18 12:00 . 2009-03-08 11:33 229376 c:\windows\system32\ieaksie.dll
+ 2001-08-18 12:00 . 2009-03-08 11:33 125952 c:\windows\system32\ieakeng.dll
+ 2001-08-18 12:00 . 2009-03-08 11:32 173056 c:\windows\system32\ie4uinit.exe
+ 2001-08-18 12:00 . 2009-03-08 11:31 216064 c:\windows\system32\dxtrans.dll
+ 2001-08-18 12:00 . 2009-03-08 11:31 348160 c:\windows\system32\dxtmsft.dll
+ 2009-03-23 09:50 . 2009-03-08 11:34 914944 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2008-05-09 10:53 . 2009-03-08 11:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 109568 c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-03-08 11:34 . 2009-03-08 11:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2001-08-18 12:00 . 2009-03-08 11:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2008-05-09 10:53 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 21:09 . 2009-03-08 21:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2009-03-08 11:31 . 2009-03-08 11:31 183808 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 21:09 . 2009-03-08 21:09 391536 c:\windows\system32\dllcache\iedkcs32.dll
+ 2001-08-18 12:00 . 2009-03-08 11:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2009-03-08 11:33 . 2009-03-08 11:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 11:31 . 2009-03-08 11:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2009-03-08 11:31 . 2009-03-08 11:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2009-05-06 03:16 . 2009-05-06 21:26 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2001-08-18 12:00 . 2009-03-08 11:32 128512 c:\windows\system32\advpack.dll
+ 2009-05-05 23:06 . 2007-11-30 12:39 382840 c:\windows\ie8updates\KB968220-IE8\spuninst\updspapi.dll
+ 2009-05-05 23:06 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB968220-IE8\spuninst\spuninst.exe
+ 2009-05-05 23:05 . 2009-02-20 08:10 666112 c:\windows\ie8\wininet.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 276480 c:\windows\ie8\webcheck.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 851968 c:\windows\ie8\vgx.dll
+ 2009-05-05 23:05 . 2008-05-09 10:53 430080 c:\windows\ie8\vbscript.dll
+ 2009-05-05 23:05 . 2009-02-20 08:10 619520 c:\windows\ie8\urlmon.dll
+ 2009-05-05 23:05 . 2009-01-08 01:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2009-05-05 23:05 . 2009-01-08 01:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2009-05-05 23:05 . 2008-04-14 13:42 532480 c:\windows\ie8\mstime.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 146432 c:\windows\ie8\msrating.dll
+ 2009-05-05 23:05 . 2001-08-18 12:00 146432 c:\windows\ie8\msls31.dll
+ 2009-05-05 23:05 . 2008-04-14 13:42 449024 c:\windows\ie8\mshtmled.dll
+ 2009-05-05 23:05 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 251904 c:\windows\ie8\iepeers.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 323584 c:\windows\ie8\iedkcs32.dll
+ 2009-05-05 23:05 . 2001-08-18 12:00 221184 c:\windows\ie8\ieakui.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 216576 c:\windows\ie8\ieaksie.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 143360 c:\windows\ie8\ieakeng.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 205312 c:\windows\ie8\dxtrans.dll
+ 2009-05-05 23:05 . 2008-04-14 13:41 357888 c:\windows\ie8\dxtmsft.dll
+ 2009-05-06 07:04 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-6-2009\ERDNT.EXE
+ 2009-05-05 23:08 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-5-2009\ERDNT.EXE
+ 2009-05-05 18:17 . 2005-10-20 19:02 163328 c:\windows\ERDNT\5-5-2009\ERDNT.EXE
+ 2009-05-06 03:11 . 2005-10-20 19:02 163328 c:\windows\ERDNT\5-5-2009-take2\ERDNT.EXE
+ 2001-08-18 12:00 . 2009-03-08 11:34 1206784 c:\windows\system32\urlmon.dll
+ 2001-08-18 12:00 . 2009-03-08 11:41 5937152 c:\windows\system32\mshtml.dll
+ 2009-03-08 11:32 . 2009-03-08 11:32 1985024 c:\windows\system32\iertutil.dll
+ 2009-02-07 04:07 . 2009-02-07 04:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2009-03-23 09:50 . 2009-03-08 11:34 1206784 c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-23 09:49 . 2009-03-08 11:41 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-08 01:20 . 2009-01-08 01:20 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2009-05-05 23:05 . 2009-02-20 08:11 3068416 c:\windows\ie8\mshtml.dll
+ 2009-05-06 07:04 . 2009-05-06 07:04 7077888 c:\windows\ERDNT\AutoBackup\5-6-2009\Users\00000001\NTUSER.DAT
+ 2009-05-05 23:08 . 2009-05-05 23:08 7045120 c:\windows\ERDNT\AutoBackup\5-5-2009\Users\00000001\NTUSER.DAT
+ 2009-05-05 18:17 . 2009-05-05 18:17 6856704 c:\windows\ERDNT\5-5-2009\Users\00000001\NTUSER.DAT
+ 2009-05-06 03:11 . 2009-05-06 03:11 7065600 c:\windows\ERDNT\5-5-2009-take2\Users\00000001\NTUSER.DAT
+ 2009-05-02 06:36 . 2009-05-06 19:20 12068477 c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-05-05 23:01 . 2009-04-06 14:57 24921544 c:\windows\system32\MRT.exe
+ 2009-03-08 11:39 . 2009-03-08 11:39 11063808 c:\windows\system32\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"prnet"="c:\windows\system32\prnet.tmp" [BU]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2009-03-23 146432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 255528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 148480]
"CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 73728]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-04-01 982408]
"prnet"="c:\windows\system32\prnet.tmp" [BU]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2516584]
ERUNT AutoBackup.lnk - c:\documents and settings\Admin\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-1-14 525664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
S2 gupdate1c9b75b699d4ed6;Google Update Service (gupdate1c9b75b699d4ed6);c:\program files\Google\Update\GoogleUpdate.exe [4/7/2009 1:32 AM 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3de5fb8-179e-11de-801c-0008a10b2147}]
\Shell\AutoRun\command - H:\launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3de5fb9-179e-11de-801c-0008a10b2147}]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 08:32]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-A00FEBDBE.exe - c:\windows\TEMP\_A00FEBDBE.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
Notify-__c005D10 - c:\windows\system32\__c005D10.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: antimalwareguard.com
Trusted Zone: aol.com\free
Trusted Zone: antimalwareguard.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 15:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1960)
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-05-06 15:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 22:10
ComboFix2.txt 2009-05-02 22:25
ComboFix3.txt 2009-05-02 04:45

Pre-Run: 32,851,243,008 bytes free
Post-Run: 33,197,936,640 bytes free

459 --- E O F --- 2009-04-28 21:56



HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:43 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\Nuance\NATURA~1\Program\natspeak.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Ed\Desktop\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Ed\Desktop\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Ed\Desktop\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c9b75b699d4ed6) (gupdate1c9b75b699d4ed6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7683 bytes

 

[pskelley]

Before we start, please view this information:
http://forums.spybot.info/showthread.php?t=282 <<< read this information

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

If you continue, p2p programs will be removed.
c:\documents and settings\Admin\Application Data\Azureus
c:\program files\Vuze

Please continue carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\prnet.tmp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3de5fb8-179e-11de-801c-0008a10b2147}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3de5fb9-179e-11de-801c-0008a10b2147}]

Folder::
c:\documents and settings\Admin\Application Data\Azureus
c:\program files\Vuze

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

 

[Demetrius]

Find the 3 logs below. Re: performance, at least there are no more popups and redirects now. Please tell me if I should reinstate TeaTimer.Thanks for helping!

ComboFix 09-05-06.02 - Admin 05/06/2009 16:06.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.479 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\prnet.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Vuze
c:\program files\Vuze\.install4j\_shfoldr.dll
c:\program files\Vuze\.install4j\autoUninstall.0
c:\program files\Vuze\.install4j\files.log
c:\program files\Vuze\.install4j\i4j_extf_0_5p83tu.utf8
c:\program files\Vuze\.install4j\i4j_extf_1_5p83tu_1q2vg51.png
c:\program files\Vuze\.install4j\i4j_extf_10_5p83tu_15u5iv8.png
c:\program files\Vuze\.install4j\i4j_extf_11_5p83tu_1hztszn.png
c:\program files\Vuze\.install4j\i4j_extf_12_5p83tu.exe
c:\program files\Vuze\.install4j\i4j_extf_13_5p83tu_z1x7tn.png
c:\program files\Vuze\.install4j\i4j_extf_2_5p83tu_1rjd818.png
c:\program files\Vuze\.install4j\i4j_extf_3_5p83tu_qin5kk.png
c:\program files\Vuze\.install4j\i4j_extf_4_5p83tu_xza4ha.png
c:\program files\Vuze\.install4j\i4j_extf_5_5p83tu_19c5po3.png
c:\program files\Vuze\.install4j\i4j_extf_6_5p83tu_bm8amj.ico
c:\program files\Vuze\.install4j\i4j_extf_7_5p83tu.exe
c:\program files\Vuze\.install4j\i4j_extf_8_5p83tu.dll
c:\program files\Vuze\.install4j\i4j_extf_9_5p83tu.xpi
c:\program files\Vuze\.install4j\i4jdel.exe
c:\program files\Vuze\.install4j\i4jinst.dll
c:\program files\Vuze\.install4j\i4jparams.conf
c:\program files\Vuze\.install4j\i4jruntime.jar
c:\program files\Vuze\.install4j\inst_jre.cfg
c:\program files\Vuze\.install4j\install.prop
c:\program files\Vuze\.install4j\installation.log
c:\program files\Vuze\.install4j\MessagesDefault
c:\program files\Vuze\.install4j\pref_jre.cfg
c:\program files\Vuze\.install4j\response.varfile
c:\program files\Vuze\.install4j\unicows.dll
c:\program files\Vuze\.install4j\user.jar
c:\program files\Vuze\aereg.dll
c:\program files\Vuze\Azureus.exe
c:\program files\Vuze\Azureus.exe.manifest
c:\program files\Vuze\Azureus.properties
c:\program files\Vuze\Azureus2.jar
c:\program files\Vuze\AzureusUpdater.exe
c:\program files\Vuze\GPL.txt
c:\program files\Vuze\installer.log
c:\program files\Vuze\msvcr71.dll
c:\program files\Vuze\plugins\azemp\azemp_2.1.02.jar
c:\program files\Vuze\plugins\azemp\azmplay.exe
c:\program files\Vuze\plugins\azemp\azureus.sig
c:\program files\Vuze\plugins\azemp\cp1250-a.raw
c:\program files\Vuze\plugins\azemp\cp1250-b.raw
c:\program files\Vuze\plugins\azemp\font.desc
c:\program files\Vuze\plugins\azemp\mplayer\config
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw
c:\program files\Vuze\plugins\azemp\plugin.properties
c:\program files\Vuze\plugins\azplugins\azplugins_2.1.6.jar
c:\program files\Vuze\plugins\azrating\azrating_1.3.1.jar
c:\program files\Vuze\plugins\azupdater\azupdaterpatcher_1.8.8.jar
c:\program files\Vuze\plugins\azupdater\azureus.sig
c:\program files\Vuze\plugins\azupdater\plugin.properties
c:\program files\Vuze\plugins\azupdater\Updater.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.jar
c:\program files\Vuze\plugins\azupnpav\azureus.sig
c:\program files\Vuze\plugins\azupnpav\plugin.properties
c:\program files\Vuze\swt.jar
c:\program files\Vuze\uninstall.exe
c:\program files\Vuze\Vuze.ico

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 21:52 . 2009-05-06 23:09 4644896 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-06 21:43 . 2009-05-06 21:43 -------- d-----w c:\program files\Trend Micro
2009-05-06 21:27 . 2009-05-06 21:42 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-06 05:31 . 2009-05-06 05:31 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-06 03:16 . 2009-05-06 03:16 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-05 23:12 . 2009-05-05 23:12 -------- d-sh--w c:\documents and settings\Admin\PrivacIE
2009-05-05 23:07 . 2009-05-05 23:07 -------- d-sh--w c:\documents and settings\Admin\IETldCache
2009-05-05 23:06 . 2009-05-05 23:06 -------- d-----w c:\windows\ie8updates
2009-05-05 23:06 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-05 23:04 . 2009-05-05 23:05 -------- dc-h--w c:\windows\ie8
2009-05-05 22:41 . 2009-05-05 22:41 -------- d-----w c:\documents and settings\Admin\AbiSuite
2009-05-05 22:40 . 2009-05-05 22:40 -------- d-----w c:\program files\AbiSuite2
2009-05-04 07:06 . 2009-05-04 07:06 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-05-04 07:06 . 2009-05-05 04:25 -------- d-----w c:\documents and settings\Admin\Application Data\Azureus
2009-05-04 07:04 . 2009-05-04 07:04 -------- d-----w c:\program files\Common Files\i4j_jres
2009-05-03 21:24 . 2009-05-03 21:24 -------- d-----w C:\My Music
2009-05-02 06:59 . 2009-05-02 07:11 -------- d-----w c:\documents and settings\Admin\Application Data\MailFrontier
2009-05-02 01:38 . 2009-05-02 01:41 -------- d-----w c:\program files\Picture Resize Genius
2009-05-01 23:51 . 2009-05-01 23:51 -------- d-----w C:\favorites temp repository
2009-05-01 23:08 . 2009-05-02 21:22 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-01 23:08 . 2009-05-02 05:06 -------- d-----w c:\program files\SpywareBlaster
2009-05-01 05:47 . 2009-05-01 05:47 33174920 ----a-w c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:11 . 2009-04-01 02:20 72584 ----a-w c:\windows\zllsputility.exe
2009-05-01 05:10 . 2009-05-01 05:10 37014408 ----a-w c:\program files\zaAvSetup_80_298_035_en.exe
2009-04-25 08:05 . 1998-10-29 23:45 306688 ----a-w c:\windows\IsUninst.exe
2009-04-25 08:02 . 2002-01-11 02:02 13780 ----a-w c:\windows\system32\drivers\pfc.sys
2009-04-25 08:02 . 2009-04-25 08:02 -------- d-----w c:\program files\Pinnacle
2009-04-21 11:54 . 2009-04-21 11:54 -------- d-----r C:\New Briefcase
2009-04-20 06:16 . 2009-05-06 22:07 -------- d-----w c:\program files\PestPatrol
2009-04-20 06:11 . 2009-04-01 02:20 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-18 05:14 . 2009-05-03 01:35 -------- d-----w c:\documents and settings\Admin\Application Data\Move Networks
2009-04-16 11:11 . 2009-04-16 11:11 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\PCHealth
2009-04-16 10:34 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 10:34 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 10:34 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 10:34 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 10:34 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 10:34 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 10:34 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 10:34 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 10:34 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 10:33 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 10:33 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 21:00 . 2009-04-07 21:00 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-07 08:51 . 2009-04-07 08:51 -------- d-----w c:\documents and settings\Admin\Application Data\DivX
2009-04-07 08:32 . 2009-04-07 08:32 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-07 08:32 . 2009-04-25 05:11 -------- d-----w c:\program files\DivX
2009-04-07 08:32 . 2009-04-07 08:53 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Google
2009-04-07 08:32 . 2009-04-07 08:33 -------- d-----w c:\program files\Google
2009-04-07 08:32 . 2009-04-07 08:32 -------- d-----w c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 22:05 . 2009-05-06 21:52 19820 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-06 20:30 . 2009-03-23 11:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-05 23:41 . 2009-03-28 06:22 1555 ----a-w c:\documents and settings\Admin\Application Data\SAS7_000.DAT
2009-05-02 19:43 . 2009-05-02 19:46 2021888 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-05-02 19:43 . 2009-05-02 19:46 1204736 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-05-02 07:08 . 2009-03-23 07:27 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-25 08:01 . 2009-03-24 00:02 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-15 05:39 . 2009-03-29 13:11 62856 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 22:33 . 2009-03-24 00:17 2828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-14 22:28 . 2009-03-24 00:17 88 --sh--r c:\documents and settings\All Users\Application Data\0AD8011988.sys
2009-04-05 05:26 . 2009-04-05 05:26 -------- d-----w c:\program files\VideoLAN
2009-04-04 23:43 . 2009-03-23 08:16 62856 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 01:31 . 2009-03-25 08:58 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 01:30 . 2009-04-04 01:30 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-02 00:39 . 2009-04-02 00:39 51893 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_01_16_31_21_small.dmp.zip
2009-04-02 00:39 . 2009-04-02 00:39 51164 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_01_16_31_22_small.dmp.zip
2009-04-02 00:39 . 2009-04-02 00:39 51471 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_01_16_31_19_small.dmp.zip
2009-04-01 08:17 . 2009-04-01 08:17 -------- d-----w c:\program files\Microsoft
2009-04-01 08:17 . 2009-04-01 08:16 -------- d-----w c:\program files\Windows Live
2009-04-01 08:16 . 2009-04-01 08:16 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-01 08:13 . 2009-04-01 08:13 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-31 06:57 . 2009-03-23 09:43 96 ----a-w c:\windows\system32\pdfl.dat
2009-03-31 00:51 . 2009-03-31 00:50 29257735 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_30_15_21_27_full.dmp.zip
2009-03-31 00:50 . 2009-03-31 00:50 173509 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_30_15_21_25_small.dmp.zip
2009-03-30 03:39 . 2009-03-30 03:37 29307505 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_29_06_00_57_full.dmp.zip
2009-03-30 03:37 . 2009-03-30 03:37 167861 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_29_06_00_55_small.dmp.zip
2009-03-29 13:02 . 2009-03-25 03:42 -------- d-----w c:\program files\QuickTime
2009-03-28 05:59 . 2009-03-28 05:59 -------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-03-28 05:59 . 2009-03-28 05:59 -------- d-----w c:\program files\Common Files\Nuance
2009-03-28 05:59 . 2009-03-23 23:51 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-28 05:58 . 2009-03-28 05:58 -------- d-----w c:\program files\Nuance
2009-03-28 03:03 . 2009-03-28 03:03 -------- d-----w c:\program files\Apple Software Update
2009-03-28 01:54 . 2009-03-28 01:53 -------- d-----w c:\program files\ImgBurn
2009-03-26 21:55 . 2009-03-26 21:54 25887309 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_03_26_01_48_58_full.dmp.zip
2009-03-26 21:54 . 2009-03-26 21:54 150676 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_26_01_48_56_small.dmp.zip
2009-03-25 09:51 . 2009-03-25 09:51 -------- d-----w c:\program files\CD-LabelPrint
2009-03-25 09:01 . 2009-03-25 09:01 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-24 05:01 . 2009-03-24 05:01 -------- d-----w c:\program files\MSXML 4.0
2009-03-24 00:16 . 2009-03-24 00:16 -------- d-----w c:\program files\InterVideo
2009-03-24 00:16 . 2009-03-24 00:16 -------- d-----w c:\program files\Common Files\InterVideo
2009-03-24 00:16 . 2009-03-24 00:16 -------- d-----w c:\program files\Common Files\Protexis
2009-03-24 00:15 . 2009-03-24 00:15 -------- d-----w c:\program files\Corel
2009-03-23 23:21 . 2009-03-23 23:16 -------- d-----w c:\program files\LeechFTP
2009-03-23 22:16 . 2009-03-23 21:58 -------- d-----w c:\program files\Rainlendar2
2009-03-23 22:05 . 2009-03-23 22:05 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\Common Files\xing shared
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\aod
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\Common Files\Real
2009-03-23 21:57 . 2009-03-23 21:57 -------- d-----w c:\program files\Real
2009-03-23 21:50 . 2009-03-23 21:50 -------- d--h--w c:\program files\CanonBJ
2009-03-23 20:57 . 2009-03-23 20:57 -------- d-----w c:\program files\SonicWallES
2009-03-23 19:15 . 2009-03-23 19:15 118386 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_23_03_59_44_small.dmp.zip
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-23 11:38 . 2009-03-23 11:38 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-23 09:43 . 2009-03-23 09:43 80 ----a-w c:\windows\system32\ibfl.dat
2009-03-23 09:43 . 2009-03-23 09:43 144 ----a-w c:\windows\system32\lkfl.dat
2009-03-23 09:43 . 2009-03-23 09:43 -------- d-----w c:\program files\CheckPoint
2009-03-23 09:32 . 2009-03-23 07:11 77423 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-03-23 07:26 . 2009-03-23 07:26 -------- d-----w c:\program files\Zone Labs
2009-03-23 07:18 . 2009-03-23 07:18 2232 ----a-w c:\windows\java\Packages\Data\9JTJTZJN.DAT
2009-03-23 07:18 . 2009-03-23 07:18 155995 ----a-w c:\windows\java\Packages\DNXF1ZT7.ZIP
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\0EZJJFJ1.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\3P7BB9ZL.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\U422HNBT.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\O60Y6I2I.DAT
2009-03-23 07:18 . 2009-03-23 07:18 2678 ----a-w c:\windows\java\Packages\Data\AKJTVR53.DAT
2009-03-23 07:13 . 2009-03-23 07:13 -------- d-----w c:\program files\microsoft frontpage
2009-03-23 07:11 . 2001-08-18 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-23 07:09 . 2009-03-23 07:09 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-16 22:18 . 2009-03-26 02:15 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 22:18 . 2009-03-26 02:15 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 22:18 . 2009-03-26 02:15 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 22:18 . 2009-03-26 02:15 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 23:27 . 2009-03-26 02:15 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 23:27 . 2009-03-26 02:15 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 23:27 . 2009-03-26 02:15 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-08 11:34 . 2001-08-18 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2001-08-18 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2001-08-18 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2001-08-18 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2001-08-18 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2001-08-18 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2001-08-18 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2001-08-18 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2001-08-18 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2001-08-18 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-02 18:26 . 2009-02-02 18:26 48640 --sha-w c:\windows\system32\kogonubo.dll.vir
.

((((((((((((((((((((((((((((( SnapShot_2009-05-06_22.08.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-18 12:00 . 2009-05-06 22:00 40196 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2009-05-06 22:10 40196 c:\windows\system32\perfc009.dat
+ 2009-05-02 06:59 . 2009-05-06 23:05 250828 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2001-08-18 12:00 . 2009-05-06 22:10 311934 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2009-05-06 22:00 311934 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"prnet"="c:\windows\system32\prnet.tmp" [BU]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2009-03-23 146432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 255528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 148480]
"CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 73728]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-04-01 982408]
"prnet"="c:\windows\system32\prnet.tmp" [BU]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2516584]
ERUNT AutoBackup.lnk - c:\documents and settings\Admin\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-1-14 525664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
S2 gupdate1c9b75b699d4ed6;Google Update Service (gupdate1c9b75b699d4ed6);c:\program files\Google\Update\GoogleUpdate.exe [4/7/2009 1:32 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 08:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: antimalwareguard.com
Trusted Zone: aol.com\free
Trusted Zone: antimalwareguard.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-06 16:11
ComboFix-quarantined-files.txt 2009-05-06 23:11
ComboFix2.txt 2009-05-06 22:10
ComboFix3.txt 2009-05-02 22:25
ComboFix4.txt 2009-05-02 04:45

Pre-Run: 33,143,799,808 bytes free
Post-Run: 33,131,745,280 bytes free

333 --- E O F --- 2009-04-28 21:56


Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/6/2009 5:16:37 PM
mbam-log-2009-05-06 (17-16-37).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 128797
Time elapsed: 51 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Admin\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Admin\Start Menu\Programs\Startup\ChkDisk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ak1.exe.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthgommeqirqpsoyjvnlucyslmpljvqwjrm.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthsrvmxehjdshmwsqvsjfevveyoojnqxof.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthswmdrudtstuckamlbkvytimnujeopspj.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthswmdrudtstuckamlbkvytimnujeopspj.dll_old.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\prnet.tmp.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yhs783ijfo3fe.dll.vir (Roorkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthcnelqywrxggryaypwyoydjbpxeddcbiw.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021487.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021488.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021489.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021490.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021587.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021590.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021593.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021594.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{251EE66D-6824-4A01-AAB1-8D1DD2211E35}\RP55\A0021596.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kogonubo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:17 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ZoneLabs\UpdClient.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Admin\Desktop\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Admin\Desktop\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\Admin\Desktop\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c9b75b699d4ed6) (gupdate1c9b75b699d4ed6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7463 bytes

 

[pskelley]

Thanks for the feedback, everything looks good from here. Let's see if we can wrap up like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

Update ZoneAlarm Security Suite Antivirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact ZA tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx

 

[Demetrius]

I will do all of that and report back, but I have a quick question first: why is my computer still so slow? There are no redirects now, but when I click on the Internet Explorer of Google Chrome icon, it takes about 5-10 seconds for the window to open up! This is definitely not normal. What do you think?

 

[pskelley]

Internet Explorer of Google Chrome icon

I am not really understanding what you are talking about here? Internet Explorer and Google Chrome are two different browsers and I do not use Google Chrome and can't tell you anything yet about it. Do you know if your computer slowed when you installed Chrome? If so, try uninstalling it and see what happens.

For Internet Explorer, look at this information:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx

What to do if your Computer's running slowly
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx

 

[Demetrius]

Oops - a typo - my mistake: I meant Internet Explorer OR Google Chrome.

The slowness started with the hideous infection. Maybe the registry is full of rubbish? This territory is way too advanced for me, I'm just speculating.

 

[pskelley]

This tool will clean the registry, make sure you back up the registry BEFORE using the registry cleaner.

CCleaner v2.19.901 - Slim
- No Toolbar

http://www.ccleaner.com/download/builds

http://www.techsupportteam.org/forum/tutorials/1149-ccleaner-quick-start-guide.html

 

[Demetrius]

Did everything you suggested. Clean bill of health from MBAM.

Thanks for helping!

 

[pskelley]

Thanks for taking the time to let me know:bigthumb: safe surfing.