Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Firefox and IE popups

  • This topic is locked This topic is locked
27 replies to this topic

#1 NoParking


  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 03 December 2008 - 03:52 PM

I got hit aprox 2 days ago. Im usually good at preventing and cleaning out any infections i may get. Not today. Had a desktop hijacker and a bunch of popups; both in Firefox and IE. I have never had popups in Firefox before.

Anyways, i have tried a verity of scanners to help (SuperAntiSpyware, True Sword 5, Spy Hunter) all of which only worked to an extent. Seems like every time i get rid of something, something else it trying to popup under another name. There was also a command.exe running i was never able to get rid of untill 1 of the scanners finally managed. I thought that was the originating source. Also, a couple of the scanners were saying it found Trojan.Vundo. I tried the vundofix.exe and the virtumundoBeGone.exe and it did say it removed it the first time but i still have popups and unwanted processes running so i know there is still something here. Do u suggest trying to run that again in safemode?

Well here is my Log, Thanks for the assistance if you are able to help.

Logfile of random's system information tool 1.04 (written by random/random)
Run by CGleason at 2008-12-03 15:35:27
Microsoft Windows XP Professional Service Pack 3
System drive C: has 5 GB (2%) free of 305 GB
Total RAM: 3327 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:38 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\Documents and Settings\CGleason\Desktop\RSIT.exe
C:\Program Files\trend micro\CGleason.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228265648718
O20 - AppInit_DLLs: nrnued.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

End of file - 5868 bytes

======Scheduled tasks folder======


======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 853672]

"dwStart"=C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe [2004-08-04 405504]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]
"V0330Mon.exe"=C:\WINDOWS\V0330Mon.exe [2007-02-26 32768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-10-07 86016]
"Zboard"=C:\Program Files\Ideazon\ZEngine\Zboard.exe [2008-11-12 57344]
"SpyHunter Security Suite"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-09-10 864256]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-10-07 13574144]

"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2008-02-20 356352]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-26 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2008-10-07 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

C:\Documents and Settings\CGleason\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-26 2210608]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

"authentication packages"=msv1_0






"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\SmartFTP Client\SmartFTP.exe"="C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2"
"C:\Program Files\Atari\ArmA Demo\ArmADemo.exe"="C:\Program Files\Atari\ArmA Demo\ArmADemo.exe:*:Enabled:ArmA Demo"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\CoreFTP\coreftp.exe"="C:\Program Files\CoreFTP\coreftp.exe:*:Enabled:Core FTP App"
"C:\Program Files\World of Warcraft\WoW-1.12.0-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe: RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe: Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe: Application"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe: RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe: Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe: Application"

shell\AutoRun\command - setupSNK.exe

shell\AutoRun\command - F:\LaunchU3.exe -a

======File associations======

.js - edit -
.js - open -
.txt - open -

======List of files/folders created in the last 1 months======

2008-12-03 15:35:28 ----D---- C:\Program Files\trend micro
2008-12-03 15:35:27 ----D---- C:\rsit
2008-12-03 00:29:50 ----D---- C:\WINDOWS\Prefetch
2008-12-02 20:16:47 ----D---- C:\WINDOWS\system32\scripting
2008-12-02 20:16:44 ----D---- C:\WINDOWS\system32\en
2008-12-02 20:16:44 ----D---- C:\WINDOWS\system32\bits
2008-12-02 20:16:44 ----D---- C:\WINDOWS\l2schemas
2008-12-02 20:14:42 ----D---- C:\WINDOWS\ServicePackFiles
2008-12-02 20:11:42 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-12-02 20:09:49 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-12-02 20:09:48 ----A---- C:\WINDOWS\system32\winbrand.dll
2008-12-02 20:09:46 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-12-02 20:09:46 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-12-02 20:09:43 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-12-02 20:09:43 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-12-02 20:09:40 ----N---- C:\WINDOWS\system32\slserv.exe
2008-12-02 20:09:40 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-12-02 20:09:40 ----N---- C:\WINDOWS\system32\slgen.dll
2008-12-02 20:09:40 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-12-02 20:09:40 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-12-02 20:09:40 ----N---- C:\WINDOWS\slrundll.exe
2008-12-02 20:09:39 ----N---- C:\WINDOWS\system32\setupn.exe
2008-12-02 20:09:38 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-12-02 20:09:38 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-12-02 20:09:37 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-12-02 20:09:37 ----N---- C:\WINDOWS\system32\qutil.dll
2008-12-02 20:09:36 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-12-02 20:09:36 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-12-02 20:09:36 ----N---- C:\WINDOWS\system32\qagent.dll
2008-12-02 20:09:35 ----N---- C:\WINDOWS\system32\onex.dll
2008-12-02 20:09:32 ----N---- C:\WINDOWS\system32\napstat.exe
2008-12-02 20:09:32 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-12-02 20:09:32 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-12-02 20:09:31 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-12-02 20:09:31 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-12-02 20:09:31 ----N---- C:\WINDOWS\system32\mssha.dll
2008-12-02 20:09:31 ----A---- C:\WINDOWS\system32\msxml6r.dll
2008-12-02 20:09:24 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-12-02 20:09:24 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-12-02 20:09:24 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-12-02 20:09:24 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-12-02 20:09:23 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2008-12-02 20:09:16 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-12-02 20:09:16 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-12-02 20:09:16 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-12-02 20:09:16 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-12-02 20:09:16 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-12-02 20:09:16 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-12-02 20:09:12 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-12-02 20:09:12 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-12-02 20:09:10 ----N---- C:\WINDOWS\system32\comsdupd.exe
2008-12-02 20:09:08 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-12-02 20:09:06 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-12-02 20:09:06 ----A---- C:\WINDOWS\003409_.tmp
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-12-02 20:09:05 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-12-02 20:09:04 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-12-02 20:09:04 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-12-02 20:09:04 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-12-02 20:09:04 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-12-02 20:09:04 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-12-02 20:09:04 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-12-02 20:09:04 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-12-02 20:09:03 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-12-02 20:09:03 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-12-02 20:09:02 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-12-02 20:09:01 ----N---- C:\WINDOWS\system32\credssp.dll
2008-12-02 20:08:58 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-12-02 20:08:58 ----N---- C:\WINDOWS\system32\azroles.dll
2008-12-02 20:08:58 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-12-02 20:08:58 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-12-02 20:08:58 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-12-02 20:08:57 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-12-02 20:08:57 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-12-02 20:08:57 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-12-02 20:08:57 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-12-02 20:08:56 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-12-02 08:56:08 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 08:55:59 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-02 08:55:59 ----D---- C:\Documents and Settings\CGleason\Application Data\SUPERAntiSpyware.com
2008-12-01 23:57:05 ----A---- C:\WINDOWS\system32\nrnued.dll
2008-12-01 23:57:04 ----A---- C:\WINDOWS\system32\xaadcmmt.dll
2008-12-01 23:54:53 ----SH---- C:\WINDOWS\system32\sjobxnlw.ini
2008-12-01 23:54:51 ----A---- C:\WINDOWS\system32\wlnxbojs.dll
2008-12-01 23:54:24 ----A---- C:\WINDOWS\system32\d7a4f7d9-.txt
2008-12-01 23:54:04 ----ASH---- C:\WINDOWS\system32\PqXFNqss.ini2
2008-12-01 23:54:04 ----ASH---- C:\WINDOWS\system32\PqXFNqss.ini
2008-12-01 23:39:11 ----A---- C:\VundoFix.txt
2008-12-01 23:32:34 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-12-01 23:22:26 ----D---- C:\Program Files\Enigma Software Group
2008-12-01 22:51:41 ----A---- C:\log2.txt
2008-12-01 22:51:41 ----A---- C:\log1.txt
2008-12-01 22:50:51 ----D---- C:\Documents and Settings\CGleason\Application Data\True Sword
2008-12-01 22:47:46 ----D---- C:\Program Files\True Sword 5
2008-12-01 22:47:46 ----A---- C:\WINDOWS\eSellerateEngine.dll
2008-12-01 22:47:46 ----A---- C:\WINDOWS\eSellerateControl350.dll
2008-12-01 22:04:34 ----D---- C:\Documents and Settings\CGleason\Application Data\gadcom
2008-12-01 22:04:20 ----SHD---- C:\WINDOWS\R2xlYXNvbg
2008-12-01 22:04:20 ----A---- C:\WINDOWS\system32\g71.exe
2008-12-01 22:04:16 ----A---- C:\WINDOWS\system32\pmnnLFwt.dll
2008-12-01 22:04:15 ----D---- C:\WINDOWS\system32\VC
2008-12-01 22:04:15 ----D---- C:\WINDOWS\system32\uv9
2008-12-01 22:04:15 ----D---- C:\WINDOWS\system32\ki3
2008-12-01 22:04:15 ----D---- C:\WINDOWS\system32\hov
2008-12-01 22:04:15 ----D---- C:\WINDOWS\system32\bin

======List of files/folders modified in the last 1 months======

2008-12-03 15:35:34 ----D---- C:\Documents and Settings\CGleason\Application Data\Azureus
2008-12-03 15:35:28 ----RD---- C:\Program Files
2008-12-03 15:32:05 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-03 15:11:10 ----D---- C:\Program Files\Mozilla Firefox
2008-12-03 07:00:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-03 00:35:00 ----D---- C:\WINDOWS\system32\drivers
2008-12-03 00:34:05 ----D---- C:\WINDOWS\system32
2008-12-03 00:34:05 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-03 00:33:20 ----D---- C:\WINDOWS\Temp
2008-12-03 00:33:07 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-03 00:32:47 ----A---- C:\WINDOWS\setuplog.txt
2008-12-03 00:30:48 ----D---- C:\WINDOWS\Registration
2008-12-03 00:30:45 ----D---- C:\WINDOWS
2008-12-03 00:30:05 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-03 00:29:13 ----D---- C:\WINDOWS\system32\wbem
2008-12-03 00:29:13 ----D---- C:\WINDOWS\system32\Setup
2008-12-03 00:29:13 ----D---- C:\WINDOWS\AppPatch
2008-12-03 00:29:12 ----RSD---- C:\WINDOWS\Fonts
2008-12-02 20:19:46 ----D---- C:\WINDOWS\security
2008-12-02 20:19:32 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-02 20:18:57 ----RSD---- C:\WINDOWS\assembly
2008-12-02 20:17:24 ----D---- C:\WINDOWS\WinSxS
2008-12-02 20:17:22 ----D---- C:\Program Files\Messenger
2008-12-02 20:17:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-02 20:17:21 ----HD---- C:\WINDOWS\inf
2008-12-02 20:17:08 ----D---- C:\WINDOWS\system32\inetsrv
2008-12-02 20:17:07 ----D---- C:\WINDOWS\network diagnostic
2008-12-02 20:17:06 ----D---- C:\WINDOWS\ime
2008-12-02 20:17:04 ----D---- C:\WINDOWS\Help
2008-12-02 20:16:48 ----D---- C:\WINDOWS\system32\usmt
2008-12-02 20:16:48 ----D---- C:\WINDOWS\system32\en-US
2008-12-02 20:16:44 ----SHD---- C:\WINDOWS\Installer
2008-12-02 20:16:44 ----D---- C:\WINDOWS\PeerNet
2008-12-02 20:16:44 ----D---- C:\Program Files\Movie Maker
2008-12-02 20:14:36 ----D---- C:\WINDOWS\system32\Restore
2008-12-02 20:14:36 ----D---- C:\WINDOWS\system32\npp
2008-12-02 20:14:36 ----D---- C:\WINDOWS\mui
2008-12-02 20:14:35 ----D---- C:\WINDOWS\msagent
2008-12-02 20:14:34 ----D---- C:\WINDOWS\srchasst
2008-12-02 20:14:33 ----D---- C:\Program Files\NetMeeting
2008-12-02 20:14:31 ----D---- C:\WINDOWS\system32\Com
2008-12-02 20:14:30 ----D---- C:\Program Files\Windows NT
2008-12-02 20:14:30 ----D---- C:\Program Files\Windows Media Player
2008-12-02 20:14:30 ----D---- C:\Program Files\Outlook Express
2008-12-02 20:14:28 ----D---- C:\Program Files\Common Files\System
2008-12-02 20:14:17 ----D---- C:\WINDOWS\system32\oobe
2008-12-02 20:14:16 ----D---- C:\WINDOWS\system
2008-12-02 20:11:40 ----D---- C:\WINDOWS\ehome
2008-12-02 19:57:36 ----D---- C:\WINDOWS\Debug
2008-12-02 19:54:48 ----D---- C:\WINDOWS\SoftwareDistribution
2008-12-02 19:54:15 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-02 08:56:04 ----SHD---- C:\Config.Msi
2008-12-02 08:55:49 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-02 07:57:52 ----SD---- C:\WINDOWS\Tasks
2008-12-02 06:18:42 ----SHD---- C:\System Volume Information
2008-12-01 23:45:29 ----D---- C:\WINDOWS\system32\config
2008-12-01 22:59:22 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-01 22:04:27 ----D---- C:\temp
2008-11-24 14:43:25 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-23 19:06:13 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2008-11-21 04:05:20 ----D---- C:\Program Files\Azureus
2008-11-19 18:39:24 ----D---- C:\WINDOWS\nview
2008-11-18 18:59:31 ----D---- C:\Program Files\UltimateZip 2007
2008-11-17 18:18:24 ----D---- C:\Documents and Settings\CGleason\Application Data\LimeWire
2008-11-17 01:06:13 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-17 01:03:03 ----D---- C:\Program Files\Adobe
2008-11-07 02:50:38 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-08-06 33052]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-04-13 225664]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-03-15 12032]
R3 Alpham1;Ideazon Merc USB Human Interface Device; C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 42624]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device; C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 18432]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 cmpci;C-Media PCI Audio Driver (WDM); C:\WINDOWS\system32\drivers\cmaudio.sys [2002-07-16 379726]
R3 FarStoneFireWallDrive;FarStoneFireWallDrive; C:\WINDOWS\System32\Drivers\FarDrive.sys [2004-05-19 142169]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2008-07-28 116736]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-10-07 6133856]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-22 52736]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-22 18944]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2007-07-25 47360]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 V0330VID;WebCam Vista/Live! Cam Chat; C:\WINDOWS\system32\DRIVERS\V0330Vid.sys [2007-02-28 185183]
S1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S1 isapnpp;isapnpp; C:\WINDOWS\System32\drivers\isapnpp.sys []
S3 a016bus;Sony Ericsson Device A016 driver (WDM); C:\WINDOWS\system32\DRIVERS\a016bus.sys [2008-01-18 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter; C:\WINDOWS\system32\DRIVERS\a016mdfl.sys [2008-01-18 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\a016mdm.sys [2008-01-18 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\a016mgmt.sys [2008-01-18 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\a016obex.sys [2008-01-18 100648]
S3 aeob14oi;aeob14oi; C:\WINDOWS\system32\drivers\aeob14oi.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 Maplom;Maplom; C:\WINDOWS\system32\drivers\Maplom.sys [2007-10-04 33792]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 Razerlow;Razer Copperhead Driver; C:\WINDOWS\System32\Drivers\Razerlow.sys [2005-08-12 19020]
S3 RT61;Gigabyte Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT61.sys [2005-08-26 352768]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 uisp;Freescale USB JW32 driver; C:\WINDOWS\System32\Drivers\usbicp.sys [2001-01-04 162900]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-10-07 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2007-10-30 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2008-11-23 201352]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-06-18 654848]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-05-10 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-26 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]


And the other log

info.txt logfile of random's system information tool 1.04 2008-12-03 15:35:39

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->MsiExec /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ivx D4 4.5.1 (remove only)-->"C:\Program Files\3ivx\3ivx D4 4.5.1\uninstall.exe"
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat 8.1.2 Professional-->msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Color Common Settings-->C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\5bc0f8414ec36c555a3e7e5ec2e225e\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup-->MsiExec.exe /I{D504303A-717D-414C-BA9F-FE01093E2EF8}
Adobe Stock Photos 1.0-->MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AGEIA PhysX v7.09.13-->MsiExec.exe /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Azureus Vuze-->C:\Program Files\Azureus\uninstall.exe
Battlefield 2™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
ConvertXtoDVD>"C:\Program Files\VSO\ConvertXtoDVD\unins000.exe"
Creative Software AutoUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative WebCam Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 /remove
Creative WebCam Vista User's Guide (English)-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative WebCam Vista\Creative WebCam Vista User's Guide\English\CTManual.isu"
Creative WebCam Vista/Live! Cam Chat Driver (>C:\WINDOWS\CtDrvIns.exe -uninstall -script VF0330.uns -unsext NT -plugin V0330Pin.dll -pluginres CtCamPin.crl
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Enemy Territory - QUAKE Wars™ Beta 1.1 Patch-->C:\Program Files\InstallShield Installation Information\{B547451E-9D40-411C-9A18-05A2D997B225}\setup.exe -runfromtemp -l0x0409
Enemy Territory - QUAKE Wars™ Beta 2 1.1 Patch-->C:\Program Files\InstallShield Installation Information\{2FB399BA-E790-4EAE-A82A-37A1B36C2783}\setup.exe -runfromtemp -l0x0409
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
Fraps (remove only)-->"C:\Fraps\uninstall.exe"
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LimeWire PRO 4.18.5-->"C:\Program Files\LimeWire\uninstall.exe"
Magic ISO Maker v5.4 (build 0251)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft DirectX Transform optional components-->RUNDLL32.EXE ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\DXTXTRA.INF,UNINSTALL.NT,12
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (>C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Demo-->MsiExec.exe /I{84B2CF01-194D-2284-B313-F2E0D78D1033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenAL-->"C:\Program Files\OpenAL\OpenALwEAX.exe" /U
PCI Audio Driver-->cmuninst.exe
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PunkBuster Services-->C:\WINDOWS\system32\pbsvc.exe -u
Razer Copperhead-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D6D5CFB3-7095-4073-B6B7-B7E909838C57}\Setup.exe"
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Shadowbane - Throne of Oblivion-->"C:\Program Files\Ubisoft\Shadowbane - Throne of Oblivion\UninstallerData\Uninstall Shadowbane - Throne of Oblivion.exe"
SmartFTP Client-->MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
Sony Ericsson PC Suite 3.209.00-->C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy>"C:\WINDOWS\unins000.exe"
SpyHunter-->"C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
The Shield 2006 Professional-->C:\Program Files\The Shield Firewall\uninst.exe
Total Annihilation - Battle Tactics-->C:\CAVEDOG\TOTALA\tabtunst.exe C:\CAVEDOG\TOTALA
Total Annihilation - Core Contingency-->C:\CAVEDOG\TOTALA\CC\CCQUERY.EXE
Total Annihilation-->C:\CAVEDOG\TOTALA\setup.exe -u
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
True Sword 5-->"C:\Program Files\True Sword 5\unins000.exe"
TSDisp-->C:\Program Files\TSDisp\Uninst.exe
UltimateZip 2007-->"C:\Program Files\UltimateZip 2007\unins000.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6b-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VisualRoute-->"C:\Program Files\VisualRoute\Uninstall.exe" "C:\Program Files\VisualRoute"
VobSub v2.23 (Remove Only)-->"C:\Program Files\Gabest\VobSub\uninstall.exe"
WinAVI Video Converter-->"C:\Program Files\WinAVI Video Converter\unins000.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Mobile® Device Handbook-->C:\Program Files\Windows Mobile Device Handbook\Windows Mobile Device Handbook\Bin\DHUninstall.exe
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
xp-AntiSpy 3.96-5-->C:\Program Files\xp-AntiSpy\Uninstall.exe
Xvid 1.1.2 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
Z Engine-->MsiExec.exe /X{64E47A5F-B3C4-476A-9100-2D006BD1FFB4}

======Environment variables======

"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 2, AuthenticAMD


Edited by NoParking, 03 December 2008 - 03:57 PM.

BC AdBot (Login to Remove)


#2 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 05 December 2008 - 06:25 PM

An Update. Spyhunter says it finds Vundo.trojan. But no matter what vundo removal tool i use, its still there. Also a Trojan.Cronhook that will not delete as well. It says it will fix it on reboot but its always still there.

#3 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 07 December 2008 - 02:02 AM

Computer is still running slow. Any attempt to remove it, and its back after a reboot. Any thoughts on how else to attempt this?

#4 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 08 December 2008 - 03:33 AM

Well i have exhausted all methods to no avail. Everything i could find on google in reference to my issues has not helped. I believe i need to start backing up for a format. Be the first in many years. :thumbsup:

#5 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:05:22 PM

Posted 08 December 2008 - 08:42 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#6 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 10 December 2008 - 12:51 AM

Only changes made are some Antivirus/Maleware scans, Tried Vundofix.exe in safemode, and also had a few NoScript updates for Firefox.

Here is the OTScanIT attachment:

Im also including a new HiJackThis Log if that helps at all.

Thanks for the help.

#7 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:05:22 PM

Posted 10 December 2008 - 02:56 AM

Hello NoParking.

I see you have Enigma SpyHunter installed. This company used to write rogue software. For that reason, I suggest you uninstall the program.

You also have the rogue "Security StrongHold" on your machine, which we will use OTScanIt to remove.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {797cf91a-508e-43a3-8b1c-45d262313c16} [HKLM] -> %SystemRoot%\system32\lunazuse.dll [Reg Error: Value  does not exist or could not be read.]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "CPMdfb4003b" -> %SystemRoot%\system32\vajoneyo.dll [Rundll32.exe "c:\windows\system32\vajoneyo.dll",a]
    YY -> "dc8733a7" -> %SystemRoot%\system32\namogizu.dll [rundll32.exe "C:\WINDOWS\system32\namogizu.dll",b]
    YN -> "NBKeyScan" -> %ProgramFiles%\Nero\Nero8\Nero BackItUp\NBKeyScan.exe ["C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"]
    YY -> "rosulimeje" -> %SystemRoot%\system32\rehoruzu.dll [Rundll32.exe "C:\WINDOWS\system32\rehoruzu.dll",s]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "Sony Ericsson PC Suite" -> ["C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon]
    < Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "rosulimeje" -> %SystemRoot%\system32\rehoruzu.dll [Rundll32.exe "C:\WINDOWS\system32\rehoruzu.dll",s]
    < Run [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "rosulimeje" -> %SystemRoot%\system32\rehoruzu.dll [Rundll32.exe "C:\WINDOWS\system32\rehoruzu.dll",s]
    < Run [HKEY_USERS\S-1-5-21-73586283-602162358-839522115-1003\] > -> HKEY_USERS\S-1-5-21-73586283-602162358-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "Sony Ericsson PC Suite" -> ["C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YN -> nrnued.dll -> %SystemRoot%\system32\nrnued.dll
    YN -> C:\WINDOWS\system32\sujejawo.dll -> %SystemRoot%\system32\sujejawo.dll
    YN -> c:\windows\system32\vajoneyo.dll -> %SystemRoot%\system32\vajoneyo.dll
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    YN -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\vajoneyo.dll [SSODL]
    < SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    YN -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\vajoneyo.dll [STS]
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YN -> C:\WINDOWS\system32\ssqNFXqP -> 
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    [Files/Folders - Created Within 30 Days]
    NY -> uzigoman.ini -> %SystemRoot%\System32\uzigoman.ini
    NY -> ajihobir.ini -> %SystemRoot%\System32\ajihobir.ini
    NY -> ezapejij.ini -> %SystemRoot%\System32\ezapejij.ini
    NY -> avolowun.ini -> %SystemRoot%\System32\avolowun.ini
    NY -> idomazoy.ini -> %SystemRoot%\System32\idomazoy.ini
    NY -> nrnued.dll -> %SystemRoot%\System32\nrnued.dll
    NY -> sjobxnlw.ini -> %SystemRoot%\System32\sjobxnlw.ini
    NY -> PqXFNqss.ini2 -> %SystemRoot%\System32\PqXFNqss.ini2
    NY -> PqXFNqss.ini -> %SystemRoot%\System32\PqXFNqss.ini
    NY -> True Sword -> %AppData%\True Sword
    NY -> True Sword 5 -> %ProgramFiles%\True Sword 5
    NY -> TrueSword5.exe -> %UserProfile%\Desktop\TrueSword5.exe
    NY -> gadcom -> %AppData%\gadcom
    NY -> zxdnt3d.cfg -> %SystemRoot%\System32\zxdnt3d.cfg
    NY -> g71.exe -> %SystemRoot%\System32\g71.exe
    NY -> R2xlYXNvbg -> %SystemRoot%\R2xlYXNvbg
    NY -> utthyqtk.job -> %SystemRoot%\tasks\utthyqtk.job
    NY -> pmnnLFwt.dll -> %SystemRoot%\System32\pmnnLFwt.dll
    NY -> VC -> %SystemRoot%\System32\VC
    NY -> uv9 -> %SystemRoot%\System32\uv9
    NY -> ki3 -> %SystemRoot%\System32\ki3
    NY -> hov -> %SystemRoot%\System32\hov
    NY -> bin -> %SystemRoot%\System32\bin
    NY -> .# -> %UserProfile%\Local Settings\Application Data\.#
    [Custom Items]
    [Empty Temp Folders]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Please post back with:
-the OTScanIt fix log
-the MalwareBytes log
-a new OTScanIt scan log (default settings, attached)

How is your computer running now?

With Regards,
The Panda

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

#8 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 10 December 2008 - 10:49 AM

12102008 log is the OTScanIt Fix log

AVG Scan log included as well. (nevermind, can't upload that filetype; it came out as a excel sheet.)

And the computer is running 10 times better and no FF popups either.

Attached Files

#9 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:05:22 PM

Posted 10 December 2008 - 09:23 PM


That looks much better.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Registry - Safe List]
    < Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "rosulimeje" -> %SystemRoot%\system32\rehoruzu.DLL [Rundll32.exe "C:\WINDOWS\system32\rehoruzu.dll",s]
    < Run [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "rosulimeje" -> %SystemRoot%\system32\rehoruzu.DLL [Rundll32.exe "C:\WINDOWS\system32\rehoruzu.dll",s]
    [Files/Folders - Modified Within 30 Days]
    NY -> ribohija.dll -> %SystemRoot%\System32\ribohija.dll
    NY -> vomabolu.dll -> %SystemRoot%\System32\vomabolu.dll
    NY -> jijepaze.dll -> %SystemRoot%\System32\jijepaze.dll
    NY -> bapoheke.dll -> %SystemRoot%\System32\bapoheke.dll
    NY -> yevapoli.dll -> %SystemRoot%\System32\yevapoli.dll
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please post back with:
-the OTScanIt fix log
-the GMER log
-the Kaspersky scan log
-a new OTScanIt scan log (default settings, attached) You may run out of attachment space. If so, go to your Control Panel to remove your previous attachments to make room for new ones.

With Regards,
The Panda

#10 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 12 December 2008 - 04:43 AM

I disabled AVG realtime Protection

I ran the OTScanIt Fix. The log file looked like everything worked.

I downloaded the GMER.exe to desktop and extracted to its own folder.

After running the exe and selecting the first 5 selections under settings, i clicked the OK button. It then wanted to reboot which i allowed. Now it POST and right when it should run windows, its just a blank screen. I reset it after waiting a good 20 min.

When i did, it asked me if i wanted to do a normal reboot, safemode, safemode with networking, or Last Known good Config.

I selected Normal. Still Booted to blank screen, No windows logo or anything.

I reset and tried Safemode next. Still blank screen after you see the scroll of drivers or whatever being loaded for safemode.

I have not tried the last Know Good Config; I wanted to check back here with you before because i didn't not want to have it loaded back in.

What next step do you want me to take?

#11 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:05:22 PM

Posted 12 December 2008 - 11:07 AM


Please give me some time to look over how to proceed.

With Regards,
The Panda

#12 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 12 December 2008 - 06:46 PM

Not a problem

#13 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:05:22 PM

Posted 13 December 2008 - 01:28 AM

Hello NoParking.

Do you have your Windows XP Installation disk? If so, we can use the recovery console there to restore from the ERUNT backup.

Alternatively, if you have a blank CD and CD burner, we could work with that too.

If not, then we will try the Last known good configuration.

With Regards,
The Panda

#14 NoParking

  • Topic Starter

  • Members
  • 17 posts
  • Local time:05:22 PM

Posted 13 December 2008 - 03:12 PM

I do have my install disk

I also have access to cd/dvd burning capabilities.

Which would you like me to do?

#15 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:05:22 PM

Posted 13 December 2008 - 08:53 PM


I want to restore from the ERUNT backup. This should remove GMER's driver.

- Boot your system from the Windows 2000/2003/XP CD-ROM.
- At the welcome screen, press "R" (Windows 2000: "R" then "C").
- Type in the number of the Windows installation you want to repair
(usually 1), then press ENTER.
- Type in the Administrator password (leave blank if you are unsure
what it is) and press ENTER.
- At the command prompt type
cd erdnt
or whatever you named your restore folder, then press ENTER.
- If you enabled automatic registry backup on system boot during ERUNT
installation and want to restore one of these backups, type
cd autobackup <ENTER>
- If you created subfolders for different registry backups (for
example, with the different creation dates), type
dir <ENTER>
to see a list of available folders, then type
cd foldername <ENTER>
where foldername is the name of a folder listed by the dir command,
to open that folder.
- Now type
batch erdnt.con <ENTER>
to restore the system registry from that folder.
- Type
exit <ENTER>
and remove the CD from the CD-ROM drive. The system will now reboot
with the restored registry.

***First try the backup in the folder with the most recent date. Reboot. If still no go, try the next most recent one.

Tell me how it goes.

With Regards,
The Panda

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users