Solved Computer running slow, occasion fake spyware popups

[Resolved] Computer running slow, occasion fake spyware popups

Hello,

I am having a bit of trouble and found this site on a google search. I think my fiance downloaded a hijacker to my PC, and I am having trouble clearing it off/ I've run Spyware S&D, Combofix, and others, and it is still kind happening, please help!

here is my last combofix log:

ComboFix 09-04-17.01 - Steve 04/16/2009 18:46.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.681 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\stuff.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\epufazah.ini
c:\windows\system32\hazafupe.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\program files\Avira
2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-09-30 10:10 . 2009-09-30 10:10 -------- d-----w c:\program files\Windows Defender
2009-09-30 10:06 . 2009-09-30 10:06 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 12:36 . 2009-04-16 12:36 -------- d-sh--w C:\FOUND.072
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-16 01:18 . 2009-04-16 01:18 -------- d-----w c:\documents and settings\Steve\Application Data\GetRightToGo
2009-04-15 23:28 . 2009-04-15 23:28 -------- d-sh--w C:\FOUND.071
2009-03-18 00:37 . 2009-03-18 00:37 -------- d-sh--w C:\FOUND.070
2009-03-18 00:14 . 2009-03-18 00:14 -------- d-sh--w C:\FOUND.069

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 15:29 . 2009-01-16 15:29 109056 --sha-w c:\windows\system32\yuniyuzi.dll
2009-04-15 15:29 . 2009-01-15 15:28 70656 --sha-w c:\windows\system32\lokadodu.dll
2009-04-15 15:28 . 2009-01-15 15:28 99840 ------w c:\windows\system32\wijuyira.dll
2009-04-15 15:28 . 2009-01-15 15:28 108032 --sha-w c:\windows\system32\yuworowe.dll
2009-04-04 00:56 . 2006-09-21 16:52 243345 ----a-w C:\hpfr3500.log
2009-03-18 00:28 . 2006-12-15 09:06 150 ----a-w C:\YServer.txt
2009-02-26 02:36 . 2009-02-26 02:36 -------- d-----w c:\program files\WiFiConnector
2009-02-09 11:13 . 2008-10-14 17:38 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2002-09-19 15:04 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-01 04:01 . 2009-02-01 04:01 410984 ----a-w c:\windows\system32\deploytk.dll
2009-01-17 02:35 . 2006-05-19 15:06 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-07-01 07:17 . 2003-10-23 20:10 95400 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-21 20:55 . 2007-11-21 20:55 47360 ----a-w c:\documents and settings\Steve\Application Data\pcouffin.sys
2007-10-28 12:20 . 2007-10-28 12:21 774144 ----a-w c:\program files\RngInterstitial.dll
2007-02-06 06:30 . 2007-02-06 06:30 190368 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-03-11 08:55 . 2006-03-11 08:54 90432 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-01-29 05:39 . 2005-11-15 05:54 10 ----a-w c:\documents and settings\All Users\Application Data\mmrpplic.dat
2005-01-24 00:24 . 2005-01-24 00:24 128 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\fusioncache.dat
1999-07-06 23:00 . 1999-07-06 23:00 6 --sh--r c:\windows\@desktop@.dat
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r c:\windows\MOTA113.exe
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r c:\windows\system32\cygwin1.dll
2009-01-15 15:29 . 2009-01-15 15:29 70656 --sha-w c:\windows\system32\guromome.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2007-05-16 07:03 163328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-05-16 07:03 31232 --sh--r c:\windows\system32\msfDX.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\i420vfw.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\yv12vfw.dll
2004-10-24 20:34 . 2004-07-22 03:56 56 --sh--r c:\windows\system32\C63F8DB8F1.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r c:\windows\system32\AVSredirect.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r c:\windows\system32\x.264.exe
2007-04-05 22:49 . 2007-04-02 08:43 2098 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-04-02 09:12 . 2007-04-02 08:43 56 --sh--r c:\windows\system32\105952530C.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]
"µTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2007-10-23 177152]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"RssReader "= "c:\program files\RssReader\RssReader.exe" [2004-04-04 1077248]
"Google Update "= "c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"MSPY2002 "= "c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery "= "c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CPMabe41b4a "= "c:\windows\system32\yuniyuzi.dll" [2009-04-16 109056]
"CARPService "= "carpserv.exe" - c:\windows\system32\carpserv.exe [2003-01-09 4608]
"VTPreset "= "VTPreset.exe" - c:\windows\system32\VTPreset.exe [2004-02-25 45056]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2007-12-30 557568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-2-25 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} "= "c:\windows\system32\yuniyuzi.dll" [2009-04-16 109056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL "= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yuniyuzi.dll [2009-04-16 109056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=c:\windows\system32\yuniyuzi.dll,c:\windows\system32\guromome.dll
"LoadAppInit_DLLs "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\guromome.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\msncall.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe "=
"c:\\WINDOWS\\System32\\LSASS.EXE "=

R3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2006-03-22 208384]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2001-08-17 747392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c86a8e0-a660-11dc-a3bf-000d0bc47cc4}]
\Shell\AutoRun\command - H:\Arcade.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3252541434-2931634771-3296844224-1005.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 00:36]

2009-04-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9f80cb5b-f834-4063-a953-311a05cc7da3} - c:\windows\system32\kahowuhi.dll
HKLM-Run-hibirozoye - c:\windows\system32\bonalopi.dll
HKLM-Run-WMC_AutoUpdate - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.tigerdirect.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Search
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} - hxxp://www.powerflasher.de/plugin/powerres.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://spdk1.livejournal.com/friends
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}\components\mpint.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 18:56
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1092)
c:\windows\system32\guromome.dll

- - - - - - - > 'explorer.exe'(1668)
c:\windows\system32\yuniyuzi.dll
c:\windows\system32\guromome.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\system32\wpdshext.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Ahead\lib\MediaLibraryNSE.dll
c:\program files\Common Files\Ahead\lib\MFC71U.DLL
c:\program files\Common Files\Ahead\lib\NMDataServices.dll
c:\program files\Common Files\Ahead\lib\NMPluginBase.dll
c:\program files\Common Files\Ahead\lib\NMCoFoundation.dll
c:\program files\Common Files\Ahead\lib\NMVDS.dll
c:\program files\Common Files\Ahead\lib\NMIndexStoreSvrPS.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\nexon\MABINOGI\NPKCMSVC.EXE
c:\program files\Common Files\Ahead\lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-04-16 19:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 23:59

Pre-Run: 29,491,920,896 bytes free
Post-Run: 29,469,736,960 bytes free

239 --- E O F --- 2009-04-14 05:24

 

here is my DDS report


DDS (Ver_09-03-16.01) - FAT32x86
Run by Steve at 19:10:40.17 on Thu 04/16/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.603 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.tigerdirect.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9f80cb5b-f834-4063-a953-311a05cc7da3} - c:\windows\system32\kahowuhi.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
uRun: [µTorrent] "c:\program files\utorrent\uTorrent.exe "
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [RssReader] c:\program files\rssreader\RssReader.exe
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CARPService] carpserv.exe
mRun: [zBrowser Launcher] c:\program files\itouch\iTouch.exe
mRun: [VTPreset] VTPreset.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe "
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe "
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CPMabe41b4a] Rundll32.exe "c:\windows\system32\yuniyuzi.dll ",a
mRun: [hibirozoye] Rundll32.exe "c:\windows\system32\bonalopi.dll ",s
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
IE: &AIM Search
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.charter.com/sdccommon/download/tgctlcm.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} - hxxp://www.powerflasher.de/plugin/powerres.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - hxxp://www.mathxl.com/applets/PearsonInstallAsst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} - hxxp://www.mathxl.com/applets/DeltaCVX.cab
DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - hxxp://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\yuniyuzi.dll,c:\windows\system32\guromome.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yuniyuzi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\yuniyuzi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\guromome.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\34ozy92n.default user\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://spdk1.livejournal.com/friends
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\34ozy92n.default user\extensions\{d249fd00-4df9-11d9-9fdc-0080481ada61}\components\mpint.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\34ozy92n.default user\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {C691212A-34CA-4A7C-8B92-31F82F044EBC} - c:\documents and settings\steve\local settings\application data\{C691212A-34CA-4A7C-8B92-31F82F044EBC}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-9-30 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-9-30 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-9-30 151297]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-26 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-9-30 52032]
S3 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2007-3-17 208384]
S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2002-9-19 747392]

=============== Created Last 30 ================

2009-04-16 18:35 <DIR> a-dshr-- C:\cmdcons
2009-04-16 18:33 161,792 a------- c:\windows\SWREG.exe
2009-04-16 18:33 98,816 a------- c:\windows\sed.exe
2009-04-16 07:36 <DIR> --dsh--- C:\FOUND.072
2009-04-15 20:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-04-15 20:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-15 20:18 <DIR> --d----- c:\docume~1\steve\applic~1\GetRightToGo
2009-04-15 18:28 <DIR> --dsh--- C:\FOUND.071
2009-03-17 19:37 <DIR> --dsh--- C:\FOUND.070
2009-03-17 19:14 <DIR> --dsh--- C:\FOUND.069

==================== Find3M ====================

2009-04-16 10:29 109,056 a--sh--- c:\windows\system32\yuniyuzi.dll
2009-04-15 10:29 70,656 a--sh--- c:\windows\system32\lokadodu.dll
2009-04-15 10:28 108,032 a--sh--- c:\windows\system32\yuworowe.dll
2009-04-15 10:28 99,840 -------- c:\windows\system32\wijuyira.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-31 23:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2007-11-21 15:55 47,360 a------- c:\docume~1\steve\applic~1\pcouffin.sys
2007-10-28 07:20 774,144 a------- c:\program files\RngInterstitial.dll
2006-01-29 00:39 10 a------- c:\docume~1\alluse~1\applic~1\mmrpplic.dat
2002-10-04 15:09 204,800 a------- c:\windows\inf\FXPlugin.dll
1999-07-06 18:00 6 ---shr-- c:\windows\@desktop@.dat
2005-05-13 17:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 11:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2009-01-15 10:29 70,656 a--sh--- c:\windows\system32\guromome.dll
2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2004-01-25 00:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2004-01-25 00:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2004-10-24 15:34 56 ---shr-- c:\windows\system32\C63F8DB8F1.sys
2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2007-04-05 17:49 2,098 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-04-02 04:12 56 ---shr-- c:\windows\system32\105952530C.sys

============= FINISH: 19:13:44.06 ===============

 

Hi and welcome


Quite a bit of work to do here.


Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File:: 
c:\windows\system32\yuniyuzi.dll
c:\windows\system32\lokadodu.dll
c:\windows\system32\wijuyira.dll
c:\windows\system32\yuworowe.dll
c:\windows\system32\guromome.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "CPMabe41b4a "=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
 "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "SSODL "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "=" " 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
 "Notification Packages "=hex(7):73,63,65,63,6c,69,00,00
DDS::
BHO: {9f80cb5b-f834-4063-a953-311a05cc7da3} - c:\windows\system32\kahowuhi.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



NEXT**
Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

thanks for the help!

here is my combofix report, and the kapersky report is soon to follow, I'll have all of these up in a about an hour:

ComboFix 09-04-17.01 - Steve 04/17/2009 18:54.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.592 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\stuff.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\guromome.dll
c:\windows\system32\lokadodu.dll
c:\windows\system32\wijuyira.dll
c:\windows\system32\yuniyuzi.dll
c:\windows\system32\yuworowe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bodonope.dll
c:\windows\system32\ehiyarav.ini
c:\windows\system32\eponodob.ini
c:\windows\system32\guromome.dll
c:\windows\system32\lokadodu.dll
c:\windows\system32\varayihe.dll
c:\windows\system32\wijuyira.dll
c:\windows\system32\yuniyuzi.dll
c:\windows\system32\yuworowe.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\program files\Avira
2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-09-30 10:10 . 2009-09-30 10:10 -------- d-----w c:\program files\Windows Defender
2009-09-30 10:06 . 2009-09-30 10:06 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 12:36 . 2009-04-16 12:36 -------- d-sh--w C:\FOUND.072
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-16 01:18 . 2009-04-16 01:18 -------- d-----w c:\documents and settings\Steve\Application Data\GetRightToGo
2009-04-15 23:28 . 2009-04-15 23:28 -------- d-sh--w C:\FOUND.071

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 15:29 . 2009-01-17 15:29 109056 --sha-w c:\windows\system32\nusuzefa.dll
2009-04-17 03:29 . 2009-01-17 03:29 108544 --sha-w c:\windows\system32\pamuyomi.dll
2009-04-17 00:46 . 2006-09-21 16:52 243756 ----a-w C:\hpfr3500.log
2009-03-18 00:28 . 2006-12-15 09:06 150 ----a-w C:\YServer.txt
2009-02-26 02:36 . 2009-02-26 02:36 -------- d-----w c:\program files\WiFiConnector
2009-02-09 11:13 . 2008-10-14 17:38 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2002-09-19 15:04 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-01 04:01 . 2009-02-01 04:01 410984 ----a-w c:\windows\system32\deploytk.dll
2008-07-01 07:17 . 2003-10-23 20:10 95400 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-21 20:55 . 2007-11-21 20:55 47360 ----a-w c:\documents and settings\Steve\Application Data\pcouffin.sys
2007-10-28 12:20 . 2007-10-28 12:21 774144 ----a-w c:\program files\RngInterstitial.dll
2007-02-06 06:30 . 2007-02-06 06:30 190368 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-03-11 08:55 . 2006-03-11 08:54 90432 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-01-29 05:39 . 2005-11-15 05:54 10 ----a-w c:\documents and settings\All Users\Application Data\mmrpplic.dat
2005-01-24 00:24 . 2005-01-24 00:24 128 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\fusioncache.dat
1999-07-06 23:00 . 1999-07-06 23:00 6 --sh--r c:\windows\@desktop@.dat
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r c:\windows\MOTA113.exe
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2007-05-16 07:03 163328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-05-16 07:03 31232 --sh--r c:\windows\system32\msfDX.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\i420vfw.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\yv12vfw.dll
2004-10-24 20:34 . 2004-07-22 03:56 56 --sh--r c:\windows\system32\C63F8DB8F1.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r c:\windows\system32\AVSredirect.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r c:\windows\system32\x.264.exe
2007-04-05 22:49 . 2007-04-02 08:43 2098 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-04-02 09:12 . 2007-04-02 08:43 56 --sh--r c:\windows\system32\105952530C.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_23.56.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 00:00 . 2009-04-18 00:00 16384 c:\windows\Temp\Perflib_Perfdata_390.dat
+ 2009-04-16 15:28 . 2009-04-17 15:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-16 15:28 . 2009-04-16 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-16 15:28 . 2009-04-17 15:30 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-16 15:28 . 2009-04-16 12:48 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 15:28 . 2009-04-17 15:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-16 15:28 . 2009-04-16 12:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]
"µTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2007-10-23 177152]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"RssReader "= "c:\program files\RssReader\RssReader.exe" [2004-04-04 1077248]
"Google Update "= "c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"MSPY2002 "= "c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery "= "c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"hibirozoye "= "c:\windows\system32\bonalopi.dll" [BU]
"CARPService "= "carpserv.exe" - c:\windows\system32\carpserv.exe [2003-01-09 4608]
"VTPreset "= "VTPreset.exe" - c:\windows\system32\VTPreset.exe [2004-02-25 45056]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2007-12-30 557568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-2-25 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\msncall.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe "=

R3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2006-03-22 208384]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2001-08-17 747392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c86a8e0-a660-11dc-a3bf-000d0bc47cc4}]
\Shell\AutoRun\command - H:\Arcade.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3252541434-2931634771-3296844224-1005.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 00:36]

2009-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.tigerdirect.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Search
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} - hxxp://www.powerflasher.de/plugin/powerres.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://spdk1.livejournal.com/friends
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}\components\mpint.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 19:02
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2896)
c:\program files\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\nexon\MABINOGI\NPKCMSVC.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-18 19:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 00:08
ComboFix2.txt 2009-04-17 00:00

Pre-Run: 29,279,240,192 bytes free
Post-Run: 29,129,113,600 bytes free

226 --- E O F --- 2009-04-14 05:24

 

Hi


I can still see a couple of infected files, have you run Kaspersky and a log created?

 

I tried to last night but my computer crashed, I'm running it again

 

If Kaspersky continues to give you problems switch to this one.

Next go Here to run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button.
Enter your State/Providence
Enter your E-mail address and click send.
Select either Home user or Company.
Click the big Scan Now button

• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a few minutes)

When the download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).
Post the contents of the ActiveScan report

Then post the Panda log.

 

running Panda now, as long as that doesn't mess up I will post that and a HJT log

 

Good deal.

 

wow that was a long weekend, computer kept crashing due to the virus, so I ran superantispyware, and about 6 other free programs, and I was finally able to run kapersky...

the other programs founsd something called "virtualmode" that was running rampant, but got rd of it as far as I know

here's the log....

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 19, 2009 22:38:11
Records in database: 2061073
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Steve\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 112374
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 04:12:23


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\WINDOWS\system32\prxf.dll Infected: not-a-virus:AdWare.Win32.RK.ai 1

The selected area was scanned.

next post is my HJT log

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:40 PM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\RssReader\RssReader.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tigerdirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9f80cb5b-f834-4063-a953-311a05cc7da3} - C:\WINDOWS\system32\nejefiju.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [hibirozoye] Rundll32.exe "C:\WINDOWS\system32\geboyapa.dll ",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hibirozoye] Rundll32.exe "C:\WINDOWS\system32\geboyapa.dll ",s (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\suhidonu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12536 bytes

 

Welcome back


I can still see a few infected files so let's do this next.


Locate the ComboFix icon that should be on the desktop.
Right click on that and select delete.

Now we'll get an updated version.....


Download Combofix from any of the links below.

Save it to your desktop.

Link 1
Link 2
Link 3


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.


** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

ComboFix 09-04-21.06 - Steve 04/20/2009 18:13.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.456 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\obipukop.ini

.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\program files\Avira
2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-09-30 10:10 . 2009-09-30 10:10 -------- d-----w c:\program files\Windows Defender
2009-09-30 10:06 . 2009-09-30 10:06 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-04-20 04:12 . 2009-04-20 04:12 -------- d-----w c:\program files\Trend Micro
2009-04-19 20:49 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-19 19:50 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-19 19:40 . 2009-04-19 19:40 -------- d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 18:49 . 2009-04-19 18:49 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-19 18:49 . 2009-04-19 18:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-19 18:49 . 2009-04-19 18:49 -------- d-----w c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2009-04-19 18:48 . 2009-04-19 18:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-18 18:47 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-18 18:46 . 2009-04-18 18:46 -------- d-----w c:\program files\Panda Security
2009-04-18 08:00 . 2009-04-18 08:01 1374 ----a-w c:\windows\imsins.BAK
2009-04-18 00:05 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 00:05 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 00:05 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 00:05 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 00:05 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 00:05 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 00:05 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 00:05 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 00:05 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 00:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 00:04 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-18 00:04 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 12:36 . 2009-04-16 12:36 -------- d-sh--w C:\FOUND.072
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-16 01:18 . 2009-04-16 01:18 -------- d-----w c:\documents and settings\Steve\Application Data\GetRightToGo
2009-04-15 23:28 . 2009-04-15 23:28 -------- d-sh--w C:\FOUND.071

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 23:19 . 2009-04-19 21:03 444 ----a-w C:\aaw7boot.log
2009-04-19 05:16 . 2009-01-19 05:16 63488 --sha-w c:\windows\system32\likebowa.exe
2009-04-18 17:16 . 2009-01-18 17:16 63488 --sha-w c:\windows\system32\zusotawi.exe
2009-04-17 03:29 . 2009-01-17 03:29 108544 --sha-w c:\windows\system32\pamuyomi.dll
2009-04-17 00:46 . 2006-09-21 16:52 243756 ----a-w C:\hpfr3500.log
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-18 00:28 . 2006-12-15 09:06 150 ----a-w C:\YServer.txt
2009-03-06 14:22 . 2002-09-19 15:04 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:25 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-02-06 23:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 17:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-26 02:36 . 2009-02-26 02:36 -------- d-----w c:\program files\WiFiConnector
2009-02-20 10:20 . 2007-05-09 22:50 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 08:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2002-09-19 15:03 161792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2002-09-19 15:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-14 06:43 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-09-19 15:04 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-09-19 15:03 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 17:38 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2002-09-19 15:04 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2008-10-14 17:38 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2002-08-29 06:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-09-19 15:04 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 17:38 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2002-09-19 15:04 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 17:38 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2002-09-19 15:04 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2002-09-19 15:04 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 17:38 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2002-09-19 15:04 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-01 04:01 . 2009-02-01 04:01 410984 ----a-w c:\windows\system32\deploytk.dll
2008-07-01 07:17 . 2003-10-23 20:10 95400 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-21 20:55 . 2007-11-21 20:55 47360 ----a-w c:\documents and settings\Steve\Application Data\pcouffin.sys
2007-10-28 12:20 . 2007-10-28 12:21 774144 ----a-w c:\program files\RngInterstitial.dll
2007-02-06 06:30 . 2007-02-06 06:30 190368 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-03-11 08:55 . 2006-03-11 08:54 90432 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-01-29 05:39 . 2005-11-15 05:54 10 ----a-w c:\documents and settings\All Users\Application Data\mmrpplic.dat
2005-01-24 00:24 . 2005-01-24 00:24 128 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\fusioncache.dat
1999-07-06 23:00 . 1999-07-06 23:00 6 --sh--r c:\windows\@desktop@.dat
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r c:\windows\MOTA113.exe
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2007-05-16 07:03 163328 --sh--r c:\windows\system32\flvDX.dll
2009-01-18 17:16 . 2009-01-18 17:16 71168 --sha-w c:\windows\system32\kemuzike.dll.tmp
2007-02-21 10:47 . 2007-05-16 07:03 31232 --sh--r c:\windows\system32\msfDX.dll
2009-01-18 17:16 . 2009-01-18 17:16 71168 --sha-w c:\windows\system32\fimukoto.dll.tmp
2009-01-18 17:16 . 2009-01-18 17:16 71168 --sha-w c:\windows\system32\tuwihavo.dll.tmp
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\i420vfw.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\yv12vfw.dll
2004-10-24 20:34 . 2004-07-22 03:56 56 --sh--r c:\windows\system32\C63F8DB8F1.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r c:\windows\system32\AVSredirect.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r c:\windows\system32\x.264.exe
2007-04-05 22:49 . 2007-04-02 08:43 2098 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-04-02 09:12 . 2007-04-02 08:43 56 --sh--r c:\windows\system32\105952530C.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_23.56.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2009-04-20 23:20 . 2009-04-20 23:20 16384 c:\windows\Temp\Perflib_Perfdata_3fc.dat
- 2004-08-29 19:37 . 2007-07-27 14:41 26488 c:\windows\system32\spupdsvc.exe
+ 2004-08-29 19:37 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
+ 2008-03-16 05:30 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2008-03-16 05:30 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2002-09-19 15:04 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2002-09-19 15:04 . 2008-12-20 22:15 44544 c:\windows\system32\pngfilt.dll
+ 2002-09-19 15:04 . 2009-04-18 08:12 73482 c:\windows\system32\perfc009.dat
- 2002-09-19 15:04 . 2008-09-20 18:45 73482 c:\windows\system32\perfc009.dat
- 2004-04-14 06:43 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2004-04-14 06:43 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
+ 2004-04-14 06:43 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2004-04-14 06:43 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2006-11-08 02:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 02:03 . 2008-12-20 22:15 52224 c:\windows\system32\msfeedsbs.dll
+ 2002-09-19 15:18 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2002-09-19 15:18 . 2008-04-14 00:12 58880 c:\windows\system32\msdtclog.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 27648 c:\windows\system32\jsproxy.dll
+ 2006-11-07 08:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
- 2006-11-07 08:26 . 2008-12-19 08:10 13824 c:\windows\system32\ieudinit.exe
+ 2002-09-19 15:03 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 07:56 . 2009-02-20 18:09 78336 c:\windows\system32\ieencode.dll
- 2002-09-19 15:03 . 2008-12-19 08:10 70656 c:\windows\system32\ie4uinit.exe
+ 2002-09-19 15:03 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
- 2006-10-17 16:58 . 2008-12-20 22:15 63488 c:\windows\system32\icardie.dll
+ 2006-10-17 16:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
+ 2009-04-19 19:50 . 2009-03-09 19:06 64160 c:\windows\system32\DRVSTORE\lbd_1D149FE61E2CD0936E43877117FE3EF0674B9944\Lbd.sys
+ 2006-05-10 05:25 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
- 2007-05-09 22:50 . 2008-12-20 22:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 22:50 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-11-07 08:26 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
- 2006-11-07 08:26 . 2008-12-20 22:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
- 2007-08-20 10:04 . 2008-12-20 22:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-04-16 15:28 . 2009-04-17 15:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-16 15:28 . 2009-04-16 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-16 15:28 . 2009-04-16 12:48 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 15:28 . 2009-04-17 15:30 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-16 15:28 . 2009-04-16 12:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-16 15:28 . 2009-04-17 15:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-19 18:49 . 2009-04-19 18:49 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-04-19 18:49 . 2009-04-19 18:49 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-04-18 08:01 . 2008-12-20 22:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-04-18 08:01 . 2008-12-19 08:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-04-18 08:01 . 2008-12-20 22:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-04-18 08:01 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-04-18 08:01 . 2008-12-19 08:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-04-18 08:01 . 2008-12-20 22:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
- 2004-07-21 22:18 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2004-07-21 22:18 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2002-09-19 15:04 . 2008-12-20 22:15 233472 c:\windows\system32\webcheck.dll
+ 2002-09-19 15:04 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2002-09-19 15:18 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2002-09-19 15:18 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2002-09-19 15:18 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
- 2002-09-19 15:04 . 2008-12-20 22:15 105984 c:\windows\system32\url.dll
+ 2002-09-19 15:04 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2002-09-19 15:04 . 2009-04-18 08:12 447452 c:\windows\system32\perfh009.dat
- 2002-09-19 15:04 . 2008-09-20 18:45 447452 c:\windows\system32\perfh009.dat
- 2002-09-19 15:04 . 2008-12-20 22:15 102912 c:\windows\system32\occache.dll
+ 2002-09-19 15:04 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 671232 c:\windows\system32\mstime.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 193024 c:\windows\system32\msrating.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 477696 c:\windows\system32\mshtmled.dll
- 2006-11-08 02:03 . 2008-12-20 22:15 459264 c:\windows\system32\msfeeds.dll
+ 2006-11-08 02:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2004-04-14 06:43 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2004-04-14 06:43 . 2008-04-14 00:12 161792 c:\windows\system32\msdtcuiu.dll
+ 2004-04-14 06:43 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
- 2004-04-14 06:43 . 2008-04-14 00:12 956928 c:\windows\system32\msdtctm.dll
+ 2004-04-14 06:43 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
- 2002-09-19 15:03 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2002-09-19 15:03 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2006-10-17 16:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 16:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2006-10-17 16:27 . 2008-12-20 22:15 383488 c:\windows\system32\ieapfltr.dll
+ 2002-09-19 15:03 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2002-09-19 15:03 . 2008-12-19 04:23 161792 c:\windows\system32\ieakui.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 230400 c:\windows\system32\ieaksie.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 07:56 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 07:56 . 2008-12-20 22:15 133120 c:\windows\system32\extmgr.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 214528 c:\windows\system32\dxtrans.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 347136 c:\windows\system32\dxtmsft.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2006-11-08 02:03 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-11-08 02:03 . 2008-12-20 22:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 17:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 17:05 . 2008-12-20 22:15 105984 c:\windows\system32\dllcache\url.dll
+ 2006-10-17 17:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2006-10-17 17:04 . 2008-12-20 22:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2007-05-09 22:50 . 2008-12-20 22:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-09 22:50 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2007-05-09 22:50 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-11-07 08:27 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-09 22:50 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-09 22:50 . 2008-12-20 22:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2006-11-07 08:27 . 2008-12-20 22:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 08:27 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 08:26 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-11-07 08:26 . 2008-12-20 22:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-11-07 08:26 . 2008-12-20 22:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-11-07 08:26 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
- 2002-09-19 15:03 . 2008-12-20 22:15 124928 c:\windows\system32\advpack.dll
+ 2002-09-19 15:03 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-04-18 08:01 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-04-18 08:01 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-04-18 08:01 . 2008-12-20 22:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-04-18 08:01 . 2008-12-19 04:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-04-18 08:01 . 2008-12-20 22:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-04-18 08:01 . 2008-12-19 04:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2004-01-21 21:20 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
- 2004-01-21 21:20 . 2008-12-20 22:15 1160192 c:\windows\system32\urlmon.dll
- 2003-09-24 21:04 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2003-09-24 21:04 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
+ 2004-07-07 23:37 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2006-11-08 02:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
- 2006-09-06 04:01 . 2007-04-17 09:28 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-09-06 04:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-05-10 05:25 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2006-05-10 05:25 . 2008-12-20 22:15 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2006-05-19 15:06 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 22:50 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-09 22:50 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
- 2007-05-09 22:50 . 2007-04-17 09:28 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-04-18 08:01 . 2008-12-20 22:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-04-18 08:01 . 2009-01-17 02:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-04-18 08:01 . 2008-12-20 22:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-04-18 08:01 . 2007-04-17 09:28 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-14 17:38 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-14 17:38 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-14 17:38 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-14 17:38 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-14 17:38 . 2009-02-08 00:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 17:38 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-14 17:38 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]
"µTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2007-10-23 177152]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"RssReader "= "c:\program files\RssReader\RssReader.exe" [2004-04-04 1077248]
"Google Update "= "c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"MSPY2002 "= "c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery "= "c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"CARPService "= "carpserv.exe" - c:\windows\system32\carpserv.exe [2003-01-09 4608]
"VTPreset "= "VTPreset.exe" - c:\windows\system32\VTPreset.exe [2004-02-25 45056]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2007-12-30 557568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-2-25 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2 "= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\msncall.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe "=

R3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2006-03-22 208384]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2001-08-17 747392]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c86a8e0-a660-11dc-a3bf-000d0bc47cc4}]
\Shell\AutoRun\command - H:\Arcade.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3252541434-2931634771-3296844224-1005.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 00:36]

2009-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.tigerdirect.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Search
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} - hxxp://www.powerflasher.de/plugin/powerres.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.startup.homepage - hxxp://spdk1.livejournal.com/friends
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}\components\mpint.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 18:21
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2984)
c:\program files\iTouch\iTchHk.dll
c:\windows\system32\mshtml.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\VDMSound\LaunchPad.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE
c:\program files\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\nexon\MABINOGI\NPKCMSVC.EXE
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SoftwareDistribution\Download\Install\windows-kb890830-v2.9.exe
z:\f48a4486fbce4cf601ceac4ddb\mrtstub.exe
c:\windows\system32\MRT.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2009-04-20 18:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 23:30
ComboFix2.txt 2009-04-18 00:08
ComboFix3.txt 2009-04-17 00:00

Pre-Run: 27,714,420,736 bytes free
Post-Run: 28,005,007,360 bytes free

496 --- E O F --- 2009-04-18 08:01

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:39 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tigerdirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11668 bytes

 

Welcome back


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad ".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546
Additional info: http://vil.nai.com/vil/content/v_137262.htm
A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application.
If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.
Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the
following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player

~~~~~~~~~~~~~~~~~~~~~~~~`

Your version of Adobe is out of date.

You can obtain the latest version of Adobe Reader from [color= "red"]here[/color], and the latest version of Flash Player from [color= "red"]here[/color].
For more information and links to Adobe updates and downloads click [color= "red"]here[/color].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident ".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.

* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm




We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [CARPService] carpserv.exe
(Description: Not necessary. Carpserv info)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \ "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\ "
(Description: Adobe reader startup - unnecessarily uses system resources.)





Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
Combofix.txt
new HJT log


How's your computer now?

 

ComboFix 09-04-21.06 - Steve 04/20/2009 23:35.7 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.763 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\fimukoto.dll.tmp
c:\windows\system32\kemuzike.dll.tmp
c:\windows\system32\likebowa.exe
c:\windows\system32\msfDX.dll
c:\windows\system32\pamuyomi.dll
c:\windows\system32\prxf.dll
c:\windows\system32\tuwihavo.dll.tmp
c:\windows\system32\zusotawi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fimukoto.dll.tmp
c:\windows\system32\kemuzike.dll.tmp
c:\windows\system32\likebowa.exe
c:\windows\system32\msfDX.dll
c:\windows\system32\pamuyomi.dll
c:\windows\system32\prxf.dll
c:\windows\system32\tuwihavo.dll.tmp
c:\windows\system32\zusotawi.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\program files\Avira
2009-09-30 10:25 . 2009-09-30 10:25 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-09-30 10:10 . 2009-09-30 10:10 -------- d-----w c:\program files\Windows Defender
2009-09-30 10:06 . 2009-09-30 10:06 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-04-20 04:12 . 2009-04-20 04:12 -------- d-----w c:\program files\Trend Micro
2009-04-19 20:49 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-19 19:50 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-19 19:40 . 2009-04-19 19:40 -------- d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 18:49 . 2009-04-19 18:49 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-19 18:49 . 2009-04-19 18:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-19 18:49 . 2009-04-19 18:49 -------- d-----w c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2009-04-19 18:48 . 2009-04-19 18:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-18 18:47 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-18 18:46 . 2009-04-18 18:46 -------- d-----w c:\program files\Panda Security
2009-04-18 08:00 . 2009-04-18 08:01 1374 ----a-w c:\windows\imsins.BAK
2009-04-18 00:05 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 00:05 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 00:05 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 00:05 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 00:05 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 00:05 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 00:05 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 00:05 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 00:05 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 00:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 00:04 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-18 00:04 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 12:36 . 2009-04-16 12:36 -------- d-sh--w C:\FOUND.072
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-16 01:19 . 2009-04-16 01:19 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-16 01:18 . 2009-04-16 01:18 -------- d-----w c:\documents and settings\Steve\Application Data\GetRightToGo
2009-04-15 23:28 . 2009-04-15 23:28 -------- d-sh--w C:\FOUND.071

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 23:19 . 2009-04-19 21:03 444 ----a-w C:\aaw7boot.log
2009-04-17 00:46 . 2006-09-21 16:52 243756 ----a-w C:\hpfr3500.log
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-18 00:28 . 2006-12-15 09:06 150 ----a-w C:\YServer.txt
2009-03-06 14:22 . 2002-09-19 15:04 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:25 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-02-06 23:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 17:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-26 02:36 . 2009-02-26 02:36 -------- d-----w c:\program files\WiFiConnector
2009-02-20 10:20 . 2007-05-09 22:50 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 08:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2002-09-19 15:03 161792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2002-09-19 15:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-14 06:43 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-09-19 15:04 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-09-19 15:03 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 17:38 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2002-09-19 15:04 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2008-10-14 17:38 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2002-08-29 06:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-09-19 15:04 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 17:38 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2002-09-19 15:04 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 17:38 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2002-09-19 15:04 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2002-09-19 15:04 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 17:38 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2002-09-19 15:04 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-01 04:01 . 2009-02-01 04:01 410984 ----a-w c:\windows\system32\deploytk.dll
2008-07-01 07:17 . 2003-10-23 20:10 95400 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-21 20:55 . 2007-11-21 20:55 47360 ----a-w c:\documents and settings\Steve\Application Data\pcouffin.sys
2007-10-28 12:20 . 2007-10-28 12:21 774144 ----a-w c:\program files\RngInterstitial.dll
2007-02-06 06:30 . 2007-02-06 06:30 190368 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-03-11 08:55 . 2006-03-11 08:54 90432 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-01-29 05:39 . 2005-11-15 05:54 10 ----a-w c:\documents and settings\All Users\Application Data\mmrpplic.dat
2005-01-24 00:24 . 2005-01-24 00:24 128 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\fusioncache.dat
1999-07-06 23:00 . 1999-07-06 23:00 6 --sh--r c:\windows\@desktop@.dat
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r c:\windows\MOTA113.exe
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2007-05-16 07:03 163328 --sh--r c:\windows\system32\flvDX.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\i420vfw.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r c:\windows\system32\yv12vfw.dll
2004-10-24 20:34 . 2004-07-22 03:56 56 --sh--r c:\windows\system32\C63F8DB8F1.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r c:\windows\system32\AVSredirect.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r c:\windows\system32\x.264.exe
2007-04-05 22:49 . 2007-04-02 08:43 2098 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-04-02 09:12 . 2007-04-02 08:43 56 --sh--r c:\windows\system32\105952530C.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-04-20_23.21.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-15 22:13 . 2009-04-21 04:26 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2007-07-15 22:13 . 2009-04-05 07:35 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-04-20 23:24 . 2009-04-06 12:57 24921544 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]
"µTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2007-10-23 177152]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"RssReader "= "c:\program files\RssReader\RssReader.exe" [2004-04-04 1077248]
"Google Update "= "c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\iTouch\iTouch.exe" [2004-03-18 892928]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"MSPY2002 "= "c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A "= "c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DeviceDiscovery "= "c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"VTPreset "= "VTPreset.exe" - c:\windows\system32\VTPreset.exe [2004-02-25 45056]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2007-12-30 557568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-2-25 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2 "= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\msncall.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe "=

R3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2006-03-22 208384]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2001-08-17 747392]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c86a8e0-a660-11dc-a3bf-000d0bc47cc4}]
\Shell\AutoRun\command - H:\Arcade.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3252541434-2931634771-3296844224-1005.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 00:36]

2009-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.tigerdirect.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Search
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} - hxxp://www.powerflasher.de/plugin/powerres.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://spdk1.livejournal.com/friends
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}\components\mpint.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\34ozy92n.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 23:39
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-21 23:41
ComboFix-quarantined-files.txt 2009-04-21 04:41
ComboFix2.txt 2009-04-20 23:30
ComboFix3.txt 2009-04-18 00:08
ComboFix4.txt 2009-04-17 00:00

Pre-Run: 27,872,018,432 bytes free
Post-Run: 27,853,111,296 bytes free

260 --- E O F --- 2009-04-20 23:30

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:09 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tigerdirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11175 bytes

 

How's the computer now?

 

Its working great! thank you very much!

 

Good deal, thats what I wanted to hear.


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below








Your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/