zlob trojan help

[johnnyringo]

I belive that I clicked on the wrong thing at the wrong time and now have a zlob trojan. I thought it was from a trusted source but obviously, I'm stupid. So far I have run Mcafee scan with limited results. I also attemted to run trend micro housecall multiple times. It found multiple problems then closed without doing anything. Please help.

 

[katana]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. Please Read All Instructions Carefully
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Please continue to respond until I give you the "All Clear"
   (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------



Download and Run RSIT

• Please download Random's System Information Tool by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

 

[johnnyringo]

log and info

Hello Katana, thank you for attempting to help me. Below are the log.txt and info.txt.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2008-12-21 11:55:58
Microsoft Windows XP Professional Service Pack 3
System drive C: has 20 GB (51%) free of 38 GB
Total RAM: 1023 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:26 AM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mainstreet.bsbdesign.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {3a44692d-8b37-4b77-bb53-5d1d27c354cf} - C:\WINDOWS\system32\zisowume.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {ac9e97bf-69ae-0e7a-7884-1f1cf28c17e8} - {8e71c82f-c1f1-4887-a7e0-ea96fb79e9ca} - C:\WINDOWS\system32\ymoyrd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E30902D2-EFCC-4370-A0DC-54AA135CEF7F} - C:\WINDOWS\system32\urqPIxvT.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [nunoketaya] Rundll32.exe "C:\WINDOWS\system32\yayebare.dll",s
O4 - HKLM\..\Run: [246c6371] rundll32.exe "C:\WINDOWS\system32\beloniwa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mainstreet.bsbdesign.com
O15 - ESC Trusted Zone: http://www.activedir.org (HKLM)
O15 - ESC Trusted Zone: http://www.msfn.org (HKLM)
O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/dl/Comcast Activation Controls.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\lufositi.dll ymoyrd.dll
O20 - Winlogon Notify: rqRIyVpo - rqRIyVpo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7798 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\kcvymjkg.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-11-07 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a44692d-8b37-4b77-bb53-5d1d27c354cf}]
C:\WINDOWS\system32\zisowume.dll [2008-09-16 68401]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-19 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8e71c82f-c1f1-4887-a7e0-ea96fb79e9ca}]
C:\WINDOWS\system32\ymoyrd.dll [2008-12-20 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-19 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E30902D2-EFCC-4370-A0DC-54AA135CEF7F}]
C:\WINDOWS\system32\urqPIxvT.dll [2008-12-07 302592]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-08-02 4493312]
"ddoctorv2"=C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe [2008-04-24 202560]
""= []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-19 136600]
"PAC7302_Monitor"=C:\WINDOWS\PixArt\PAC7302\Monitor.exe [2006-11-03 319488]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"nunoketaya"=C:\WINDOWS\system32\yayebare.dll []
"246c6371"=C:\WINDOWS\system32\beloniwa.dll [2008-12-21 87174]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-31 50480]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe [2008-04-24 202560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe [2004-08-06 139320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe [2004-11-10 1126400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2004-08-02 4493312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=",C:\WINDOWS\system32\lufositi.dll ymoyrd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqRIyVpo]
rqRIyVpo.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\urqPIxvT
"notification packages"=scecli
C:\WINDOWS\system32\lufositi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD"="C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\Program Files\SecondLife\SLVoice.exe"="C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\AIM6\aolsoftware.exe"="C:\Program Files\AIM6\aolsoftware.exe:*:Enabled:aolsoftware"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\McAfee\MPF\MpfSrv.exe"="C:\Program Files\McAfee\MPF\MpfSrv.exe:*:Enabled:MPFSrv"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:OUTLOOK"
"C:\Program Files\McAfee.com\Agent\mcagent.exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe:*:Enabled:mcagent"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ead7c4c-e2b9-11db-967e-806d6172696f}]
shell\AutoRun\command - D:\aoesetup.exe /autorun
shell\directx\command - D:\DirectX\dxsetup.exe
shell\dplay\command - D:\DirectX\dplay61a.exe
shell\dxdiag\command - D:\goodies\ar40eng.exe
shell\dxinfo\command - D:\goodies\DirectX\dxinfo.exe
shell\dxtest\command - D:\DirectX\dxdiag.exe
shell\dxtool\command - D:\goodies\DirectX\dxtool.exe
shell\log\command - D:\goodies\machine\machine.exe -l
shell\machine\command - D:\goodies\machine\machine.exe
shell\setup\command - D:\aoesetup.exe /autorun
shell\zone\command - D:\goodies\mszone\zoneA600.exe


======List of files/folders created in the last 1 months======

2008-12-21 11:56:00 ----D---- C:\Program Files\trend micro
2008-12-21 11:55:58 ----D---- C:\rsit
2008-12-21 10:04:10 ----SH---- C:\WINDOWS\system32\awinoleb.ini
2008-12-20 22:04:00 ----SH---- C:\WINDOWS\system32\edomujam.ini
2008-12-20 13:19:20 ----D---- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-12-20 13:17:22 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2008-12-20 13:16:36 ----D---- C:\Program Files\Skype
2008-12-20 13:16:35 ----D---- C:\Program Files\Common Files\Skype
2008-12-20 13:16:18 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2008-12-20 12:23:40 ----SH---- C:\WINDOWS\system32\rxavayhn.ini
2008-12-20 12:23:38 ----N---- C:\WINDOWS\system32\nhyavaxr.dll
2008-12-20 12:17:40 ----A---- C:\WINDOWS\system32\ymoyrd.dll
2008-12-20 12:17:38 ----A---- C:\WINDOWS\system32\tdaewxcl.dll
2008-12-20 10:04:00 ----SH---- C:\WINDOWS\system32\odofafet.ini
2008-12-19 22:04:03 ----SH---- C:\WINDOWS\system32\imetifoz.ini
2008-12-19 13:38:44 ----A---- C:\WINDOWS\system32\sxrgny.dll
2008-12-19 13:38:44 ----A---- C:\WINDOWS\system32\hyuwymdb.dll
2008-12-19 13:36:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-19 13:36:55 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-19 13:36:55 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-19 13:36:55 ----A---- C:\WINDOWS\system32\java.exe
2008-12-19 13:35:56 ----SH---- C:\WINDOWS\system32\grfuldga.ini
2008-12-19 12:14:37 ----ASH---- C:\WINDOWS\system32\TvxIPqru.ini2
2008-12-19 12:14:37 ----ASH---- C:\WINDOWS\system32\TvxIPqru.ini
2008-12-19 10:07:00 ----SH---- C:\WINDOWS\system32\ajodakez.ini
2008-12-18 19:11:39 ----A---- C:\WINDOWS\wininit.ini
2008-12-18 16:44:33 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-18 16:44:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 13:39:44 ----A---- C:\WINDOWS\system32\nbvmac.dll
2008-12-18 13:39:43 ----A---- C:\WINDOWS\system32\mpjvqtba.dll
2008-12-17 13:33:44 ----A---- C:\WINDOWS\system32\gcsqrr.dll
2008-12-17 13:33:43 ----A---- C:\WINDOWS\system32\uhsshpwm.dll
2008-12-17 13:29:28 ----N---- C:\WINDOWS\system32\rljsolid.dll
2008-12-14 10:20:54 ----D---- C:\Documents and Settings\Administrator\Application Data\Help
2008-12-14 09:31:50 ----A---- C:\WINDOWS\system32\dgtshvsq.dll
2008-12-12 09:33:14 ----A---- C:\WINDOWS\system32\zxrmcm.dll
2008-12-12 09:33:13 ----A---- C:\WINDOWS\system32\fqeqhlrc.dll
2008-12-12 09:30:13 ----N---- C:\WINDOWS\system32\gepfemya.dll
2008-12-09 12:25:04 ----A---- C:\WINDOWS\system32\dunzip32.dll
2008-12-08 18:24:53 ----SHD---- C:\WINDOWS\QlNCIERlc2lnbg
2008-12-08 18:19:52 ----D---- C:\Documents and Settings\Administrator\Application Data\SpeedRunner
2008-12-08 18:14:45 ----D---- C:\Documents and Settings\Administrator\Application Data\Twain
2008-12-08 18:09:59 ----D---- C:\Program Files\Webtools
2008-12-07 18:03:41 ----A---- C:\WINDOWS\system32\2f4fa70f-.txt
2008-12-07 18:03:14 ----A---- C:\WINDOWS\system32\urqPIxvT.dll
2008-12-05 10:43:18 ----D---- C:\Documents and Settings\All Users\Application Data\Network Associates
2008-12-05 10:43:09 ----D---- C:\Program Files\Network Associates
2008-12-04 12:03:17 ----A---- C:\WINDOWS\system32\tmp.txt
2008-12-04 12:03:08 ----A---- C:\rapport.txt
2008-12-04 12:01:37 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-03 10:54:14 ----D---- C:\Program Files\McAfee.com
2008-12-03 10:54:06 ----D---- C:\Program Files\Common Files\McAfee
2008-12-03 10:53:51 ----D---- C:\Program Files\McAfee
2008-12-03 10:42:24 ----SHD---- C:\Config.Msi
2008-12-03 10:34:11 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2008-12-03 10:27:43 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-12-03 10:27:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-12-03 08:39:11 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-12-03 08:38:06 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-12-02 17:44:40 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-12-02 17:42:50 ----D---- C:\WINDOWS\Prefetch
2008-12-02 17:12:47 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-02 17:12:38 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-02 17:12:30 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-02 17:12:19 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-02 17:12:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-02 17:11:57 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-12-02 17:11:48 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-02 17:11:39 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-02 17:11:27 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-12-02 17:11:18 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-02 17:11:09 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-02 17:10:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-12-02 17:10:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-02 17:10:43 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-02 17:10:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-12-02 17:10:24 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-02 17:10:15 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-02 17:10:07 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-02 17:09:56 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2008-12-02 17:09:46 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-02 17:09:38 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-02 17:04:31 ----D---- C:\WINDOWS\system32\en-us
2008-12-02 17:04:29 ----D---- C:\WINDOWS\system32\scripting
2008-12-02 17:04:28 ----D---- C:\WINDOWS\l2schemas
2008-12-02 17:04:27 ----D---- C:\WINDOWS\system32\en
2008-12-02 17:04:27 ----D---- C:\WINDOWS\system32\bits
2008-12-02 17:00:03 ----D---- C:\WINDOWS\ServicePackFiles
2008-12-02 16:56:39 ----D---- C:\WINDOWS\network diagnostic
2008-12-02 16:47:51 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$

======List of files/folders modified in the last 1 months======

2008-12-21 11:56:25 ----D---- C:\WINDOWS\Temp
2008-12-21 11:56:00 ----RD---- C:\Program Files
2008-12-21 11:29:27 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-12-21 10:04:20 ----D---- C:\WINDOWS\system32
2008-12-21 10:04:07 ----ASH---- C:\WINDOWS\system32\beloniwa.dll
2008-12-20 22:03:49 ----N---- C:\WINDOWS\system32\majumode.dll
2008-12-20 13:17:09 ----SHD---- C:\WINDOWS\Installer
2008-12-20 13:16:35 ----D---- C:\Program Files\Common Files
2008-12-20 12:21:59 ----A---- C:\AILog.txt
2008-12-20 10:03:27 ----N---- C:\WINDOWS\system32\tefafodo.dll
2008-12-19 22:03:07 ----N---- C:\WINDOWS\system32\zofitemi.dll
2008-12-19 16:55:05 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-12-19 13:35:43 ----D---- C:\Program Files\Java
2008-12-19 12:15:41 ----A---- C:\WINDOWS\SMSCFG.ini
2008-12-19 12:13:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-19 11:19:19 ----SHD---- C:\WINDOWS\CSC
2008-12-18 19:11:39 ----D---- C:\WINDOWS
2008-12-18 19:11:05 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-18 15:14:42 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-18 10:03:05 ----N---- C:\WINDOWS\system32\bawifiya.dll
2008-12-17 15:15:31 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-16 10:01:08 ----ASH---- C:\WINDOWS\system32\hafarire.dll
2008-12-15 22:00:57 ----ASH---- C:\WINDOWS\system32\bupupisa.dll
2008-12-14 10:20:54 ----D---- C:\WINDOWS\Help
2008-12-11 09:58:02 ----ASH---- C:\WINDOWS\system32\pedabara.dll
2008-12-10 20:57:36 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-10 15:57:36 ----ASH---- C:\WINDOWS\system32\majudohi.dll
2008-12-10 13:28:16 ----A---- C:\WINDOWS\IE4 Error Log.txt
2008-12-09 13:38:26 ----D---- C:\WINDOWS\system32\drivers
2008-12-09 12:25:45 ----HD---- C:\WINDOWS\inf
2008-12-09 11:47:42 ----D---- C:\Program Files\Internet Explorer
2008-12-07 17:58:14 ----SD---- C:\WINDOWS\Tasks
2008-12-06 03:00:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-06 03:00:48 ----A---- C:\WINDOWS\imsins.BAK
2008-12-05 10:47:51 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-05 10:45:41 ----D---- C:\WINDOWS\system32\config
2008-12-05 10:44:51 ----D---- C:\WINDOWS\system32\wbem
2008-12-05 10:44:48 ----D---- C:\WINDOWS\Registration
2008-12-05 10:44:17 ----D---- C:\Program Files\Common Files\Adobe
2008-12-04 12:55:37 ----N---- C:\WINDOWS\system.ini
2008-12-04 12:55:37 ----A---- C:\WINDOWS\win.ini
2008-12-03 10:21:11 ----D---- C:\Program Files\Adobe
2008-12-03 10:21:11 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-03 09:08:29 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-03 08:39:38 ----D---- C:\Program Files\AIM6
2008-12-03 08:39:13 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-12-02 17:45:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-02 17:45:15 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-02 17:43:06 ----A---- C:\WINDOWS\setuplog.txt
2008-12-02 17:42:26 ----D---- C:\WINDOWS\system32\Setup
2008-12-02 17:42:26 ----D---- C:\WINDOWS\AppPatch
2008-12-02 17:42:24 ----RSD---- C:\WINDOWS\Fonts
2008-12-02 17:09:48 ----D---- C:\Program Files\Messenger
2008-12-02 17:09:20 ----D---- C:\WINDOWS\security
2008-12-02 17:05:23 ----D---- C:\WINDOWS\WinSxS
2008-12-02 17:04:55 ----D---- C:\WINDOWS\system32\inetsrv
2008-12-02 17:04:54 ----D---- C:\WINDOWS\ime
2008-12-02 17:04:31 ----D---- C:\WINDOWS\system32\usmt
2008-12-02 17:04:27 ----D---- C:\WINDOWS\PeerNet
2008-12-02 17:04:26 ----D---- C:\Program Files\Movie Maker
2008-12-02 16:59:44 ----D---- C:\WINDOWS\system32\Restore
2008-12-02 16:59:44 ----D---- C:\WINDOWS\system32\npp
2008-12-02 16:59:43 ----D---- C:\WINDOWS\mui
2008-12-02 16:59:41 ----D---- C:\WINDOWS\msagent
2008-12-02 16:59:39 ----D---- C:\WINDOWS\srchasst
2008-12-02 16:59:38 ----D---- C:\Program Files\NetMeeting
2008-12-02 16:59:36 ----D---- C:\WINDOWS\system32\Com
2008-12-02 16:59:31 ----D---- C:\Program Files\Windows Media Player
2008-12-02 16:59:29 ----D---- C:\Program Files\Windows NT
2008-12-02 16:59:29 ----D---- C:\Program Files\Outlook Express
2008-12-02 16:59:25 ----D---- C:\Program Files\Common Files\System
2008-12-02 16:58:57 ----D---- C:\WINDOWS\system32\oobe
2008-12-02 16:58:54 ----D---- C:\WINDOWS\system
2008-12-02 16:52:53 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-02 16:47:49 ----D---- C:\WINDOWS\ehome

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 GearAspiWDM;GearAspiWDM; C:\WINDOWS\system32\drivers\GearAspiWDM.sys [2006-09-19 15664]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 PQIMount;PQIMount; C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 46800]
R2 pmem;pmem; C:\WINDOWS\system32\DRIVERS\pmemnt.sys [2004-08-02 7012]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-03-13 100224]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2002-08-06 139776]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2004-06-27 2112]
R3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2004-06-27 4864]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-02 2627328]
R3 PAC7302;PAC7302 VGA USB Camera; C:\WINDOWS\system32\DRIVERS\PAC7302.SYS [2007-06-14 457856]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 EntDrv51;EntDrv51; \??\C:\WINDOWS\system32\drivers\EntDrv51.sys []
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\system32\CCM\prepdrv.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 CcmExec;SMS Agent Host; C:\WINDOWS\system32\CCM\CcmExec.exe [2004-08-04 570368]
R2 GEARSecurity;GEARSecurity; C:\WINDOWS\System32\GEARSec.exe [2004-11-10 53248]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-19 152984]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\Program Files\McAfee\VirusScan\McShield.exe [2007-07-24 144704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 Norton Ghost;Norton Ghost; C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe [2004-11-10 1273856]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2004-08-02 114755]
R2 sprtsvc_ddoctorv2;SupportSoft Sprocket Service (ddoctorv2); C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe [2008-04-24 202560]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 Wuser32;SMS Remote Control Agent; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2004-07-23 241664]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2004-08-06 102463]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-11 483328]
S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 28160]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2008-12-21 11:56:30

======Uninstall list======

-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {4358EA9B-4ADF-45A2-A12E-7E9454FF5124}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Cisco TSP-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AF198881-AF5B-11D4-9DA2-000039ED6324}\Setup.exe" -l0x9
Desktop Doctor-->MsiExec.exe /I{D87149B3-7A1D-4548-9CBF-032B791E5908}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) PRO Ethernet Adapter and Software-->Prounstl.exe
iTunes-->MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LiveUpdate 2.0 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Age of Empires II-->"C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007-->MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Norton Ghost 9.0-->MsiExec.exe /X{3C759736-8347-4031-BB9C-D75ADFE6B101}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Outlook 2007 Junk Email Filter (KB931766)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {397B6A04-F212-4628-AB47-5C0BB06B1805}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
VGA USB Camera-->C:\Program Files\InstallShield Installation Information\{F0B2D11F-E4D9-4C17-A195-B8BADEAE9C40}\setup.exe -runfromtemp -l0x0009 -removeonly
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Media Connect-->msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect-->MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

System event log

Computer Name: EVOD510
Event Code: 18
Message: Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, March 12, 2008 at 3:00 AM:
- Windows Malicious Software Removal Tool - March 2008 (KB890830)

Record Number: 1266
Source Name: Windows Update Agent
Time Written: 20080311174911.000000-240
Event Type: information
User:

Computer Name: EVOD510
Event Code: 7036
Message: The Background Intelligent Transfer Service service entered the running state.

Record Number: 1265
Source Name: Service Control Manager
Time Written: 20080311174848.000000-240
Event Type: information
User:

Computer Name: EVOD510
Event Code: 7035
Message: The Background Intelligent Transfer Service service was successfully sent a start control.

Record Number: 1264
Source Name: Service Control Manager
Time Written: 20080311174848.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: EVOD510
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 1263
Source Name: W32Time
Time Written: 20080309125659.000000-240
Event Type: warning
User:

Computer Name: EVOD510
Event Code: 1002
Message: The IP address lease 192.168.1.100 for the Network Card with network address 000BCD217A00 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 1262
Source Name: Dhcp
Time Written: 20080308231743.000000-240
Event Type: error
User:

Application event log

Computer Name: BSB-EVOD510C
Event Code: 1000
Message: Performance counters for the MSDTC (MSDTC) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 5
Source Name: LoadPerf
Time Written: 20050406125447.000000-240
Event Type: information
User:

Computer Name: BSB-EVOD510C
Event Code: 1000
Message: Performance counters for the TermService (Terminal Services) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 4
Source Name: LoadPerf
Time Written: 20050406125444.000000-240
Event Type: information
User:

Computer Name: BSB-EVOD510C
Event Code: 1000
Message: Performance counters for the RemoteAccess (Routing and Remote Access) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 3
Source Name: LoadPerf
Time Written: 20050406125348.000000-240
Event Type: information
User:

Computer Name: BSB-EVOD510C
Event Code: 1000
Message: Performance counters for the PSched (PSched) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20050406125323.000000-240
Event Type: information
User:

Computer Name: BSB-EVOD510C
Event Code: 1000
Message: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 1
Source Name: LoadPerf
Time Written: 20050406125322.000000-240
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

 

[katana]

Information

Do you know why these items are in your trusted zone ?

O15 - ESC Trusted Zone: http://www.activedir.org (HKLM)
O15 - ESC Trusted Zone: http://www.msfn.org (HKLM)
O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM)

----------------------------------------------------------- -----------------------------------------------------------

Step 1


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
• If requested, please reboot
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply
• Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------- -----------------------------------------------------------
Step 3


Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

• Adobe Reader 7.1.0 << See below for updating Adobe
• Java(TM) 6 Update 7
  

Now close the Control Panel.

----------------------------------------------------------- -----------------------------------------------------------
Step 4


Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• MalwareBytes Log
• Combofix Log
• How are things running now ?

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

• Please go to this link Adobe Acrobat Reader Download Link
• Click Download
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
• Click the Continue button
• Click Run, and click Run again
• Next click the Install Now button and follow the on screen prompts

 

[johnnyringo]

Information

Do you know why these items are in your trusted zone ?

no, I have no idea how they are there or how to put things there or remove them from there. Here is the log from step one. Moving on to step two.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/22/2008 3:50:14 PM
mbam-log-2008-12-22 (15-50-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 98245
Time elapsed: 53 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 9
Registry Keys Infected: 33
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\beloniwa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kuhesaku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\majumode.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nhyavaxr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pobikini.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urqPIxvT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lufositi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zisowume.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ymoyrd.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8e71c82f-c1f1-4887-a7e0-ea96fb79e9ca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e71c82f-c1f1-4887-a7e0-ea96fb79e9ca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e30902d2-efcc-4370-a0dc-54aa135cef7f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e30902d2-efcc-4370-a0dc-54aa135cef7f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a44692d-8b37-4b77-bb53-5d1d27c354cf} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3a44692d-8b37-4b77-bb53-5d1d27c354cf} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3a44692d-8b37-4b77-bb53-5d1d27c354cf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e30902d2-efcc-4370-a0dc-54aa135cef7f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8e71c82f-c1f1-4887-a7e0-ea96fb79e9ca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\246c6371 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nunoketaya (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqpixvt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lufositi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\lufositi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\lufositi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqpixvt -> Delete on reboot.

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ymoyrd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urqPIxvT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\TvxIPqru.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TvxIPqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\beloniwa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awinoleb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kuhesaku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ukasehuk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\majumode.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\edomujam.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nhyavaxr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rxavayhn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pobikini.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\inikibop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tefafodo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odofafet.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zofitemi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imetifoz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zisowume.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lufositi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\6C49A2AE677D1736\6C49A2AE677D1736 (Rootkit.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\6C49A2AE677D1736\6C49A2AE677D1736.x86 (Rootkit.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\29QRIRYR\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GLER85AF\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{788AFE38-DDBC-49E4-8F7E-A3F06EBB6F5B}\RP321\A0038054.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bawifiya.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hafarire.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdaewxcl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

 

[johnnyringo]

have a question

I am on step two and in the directions for this process it tells me to "download and install the windows recovery console" to do this, you need the disk. As i purchased this computer from my place of employment, I don't have the disk. Will this be a problem?

also, I will be leaving town, and the computer for about a week starting tomorrow. Do I need to restart the process when I return or continue from where I am now? Please advise. Thank you.

 

[katana]

Just double click Combofix and select "yes" at any prompts.

If we don't get finished, just post back to this thread when you return.

 

[katana]

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.