Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DeeWoo infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 Zaij

Zaij

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 05 December 2008 - 10:02 AM

Hey guys, I'm having trouble with DeeWoo. I've tried system restore, playing with msconfig, etc. no Bingo.

Here's HiJackThis logfile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:08 AM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\system32\msconfig.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Curse\CurseClient.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - D:\WINDOWS\system32\mlJASmnl.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {b0f2787f-a4e0-cdc5-8ee1-41eaf315509c} - D:\WINDOWS\system32\kjwvnqsikr.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CurseClient] D:\Program Files\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227374627256
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: mwyxlz.dll
O20 - Winlogon Notify: mlJASmnl - D:\WINDOWS\SYSTEM32\mlJASmnl.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - D:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5956 bytes

Thanks,

Zaij

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 15 December 2008 - 09:31 PM

Hello Zaij,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 25 December 2008 - 07:46 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 28 December 2008 - 12:06 PM

Topic reopened at starter's request.

Please post a new HijackThis log and tell me what problems you're having. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Zaij

Zaij
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 28 December 2008 - 12:21 PM

HIJACKTHIS log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:22 AM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Curse\CurseClient.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {0a5f1873-ec27-ad29-a934-2c35c5e795f6} - {6f597e5c-53c2-439a-92da-72ce3781f5a0} - D:\WINDOWS\system32\jruggo.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {B0F2787F-A4E0-CDC5-8EE1-41EAF315509C} - D:\WINDOWS\system32\kjwvnqsikr.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CurseClient] D:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227374627256
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\WINDOWS\system32\__c00C73B9.dat
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - D:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6772 bytes




I get occasional popups. Whenever the computer starts up I get a bunch of errors which I have to click OK through, then go control alt delete, new task, explorer just to be able to see the desktop and do normal computer stuff. Beyond that, I'm not sure what to say. Any help would be greatly appreciated,

Zaij.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 28 December 2008 - 12:41 PM

Hello,

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Zaij

Zaij
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 28 December 2008 - 09:41 PM

ComboFix 08-12-28.01 - Anna 2008-12-29 13:35:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1444 [GMT 11:00]
Running from: d:\documents and settings\Anna\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\__c0012C71.dat
d:\windows\system32\__c0018C5D.dat
d:\windows\system32\__c00383B1.dat
d:\windows\system32\__c0041A04.dat
d:\windows\system32\__c00482F9.dat
d:\windows\system32\__c004FBFB.dat
d:\windows\system32\__c0055A7C.dat
d:\windows\system32\__c0056E3A.dat
d:\windows\system32\__c005DC4.dat
d:\windows\system32\__c0087A14.dat
d:\windows\system32\__c0095FAC.dat
d:\windows\system32\__c00C73B9.dat
d:\windows\system32\__c00CD0B4.dat
d:\windows\system32\__c00D1F0.dat
d:\windows\system32\__c00DE1F5.dat
d:\windows\system32\__c00DEE44.dat
d:\windows\system32\__c00E27A2.dat
d:\windows\system32\__c00F6381.dat
d:\windows\system32\ajahqbws.dll
d:\windows\system32\bmvoconj.dll
d:\windows\system32\btcxuavr.dll
d:\windows\system32\cewdkart.ini
d:\windows\system32\dappmpep.ini
d:\windows\system32\diezil.dll
d:\windows\system32\dnlnhahh.dll
d:\windows\system32\ejnukmsk.ini
d:\windows\system32\eoyobj.dll
d:\windows\system32\epcaqpbt.ini
d:\windows\system32\etwagghr.dll
d:\windows\system32\ewxbxv.dll
d:\windows\system32\fetfhe.dll
d:\windows\system32\ffwcckxf.dll
d:\windows\system32\fjhvuafj.dll
d:\windows\system32\fssbevik.dll
d:\windows\system32\fwwffmlu.dll
d:\windows\system32\fxkccwff.ini
d:\windows\system32\gvmaonvo.dll
d:\windows\system32\jagxecdw.dll
d:\windows\system32\jhhkakls.dll
d:\windows\system32\jruggo.dll
d:\windows\system32\knegxahl.dll
d:\windows\system32\ksmkunje.dll
d:\windows\system32\kudzbr.dll
d:\windows\system32\lhaxgenk.ini
d:\windows\system32\lhicesjl.ini
d:\windows\system32\ljsecihl.dll
d:\windows\system32\ltjxgemd.dll
d:\windows\system32\lxemkg.dll
d:\windows\system32\mcrh.tmp
d:\windows\system32\mgbqpacs.dll
d:\windows\system32\mlJASmnl.dll
d:\windows\system32\mlJDuvtQ.dll
d:\windows\system32\nhpgpx.dll
d:\windows\system32\nnnmkKBR.dll
d:\windows\system32\npillg.dll
d:\windows\system32\npphjcsw.dll
d:\windows\system32\ojuywo.dll
d:\windows\system32\pepmppad.dll
d:\windows\system32\QtvuDJlm.ini
d:\windows\system32\QtvuDJlm.ini2
d:\windows\system32\scapqbgm.ini
d:\windows\system32\sltufujl.ini
d:\windows\system32\spxglrbx.dll
d:\windows\system32\swbqhaja.ini
d:\windows\system32\taxbmm.dll
d:\windows\system32\tbpqacpe.dll
d:\windows\system32\tlacxm.dll
d:\windows\system32\tnpwghkj.dll
d:\windows\system32\trakdwec.dll
d:\windows\system32\txlhfnuy.dll
d:\windows\system32\uftsbpay.ini
d:\windows\system32\ulmffwwf.ini
d:\windows\system32\uwmpppwd.dll
d:\windows\system32\uXPi02
d:\windows\system32\uXPi02\uXPi022328.exe
d:\windows\system32\vocfnd.dll
d:\windows\system32\vxwDNqru.ini
d:\windows\system32\vxwDNqru.ini2
d:\windows\system32\wdcexgaj.ini
d:\windows\system32\wlmurrbe.dll
d:\windows\system32\xbrlgxps.ini
d:\windows\system32\xvgpvegq.dll
d:\windows\system32\ybdsmm.dll
d:\windows\system32\yunfhlxt.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-27 19:59 . 2008-12-29 10:10 <DIR> d-------- d:\documents and settings\Anna\Application Data\skypePM
2008-12-27 19:59 . 2008-12-27 19:59 56 --ah----- d:\windows\system32\ezsidmv.dat
2008-12-27 19:58 . 2008-12-27 19:58 <DIR> d-------- d:\program files\Skype
2008-12-27 19:58 . 2008-12-27 19:58 <DIR> d-------- d:\program files\Common Files\Skype
2008-12-27 19:58 . 2008-12-29 13:38 <DIR> d-------- d:\documents and settings\Anna\Application Data\Skype
2008-12-27 19:57 . 2008-12-27 19:58 <DIR> d-------- d:\documents and settings\All Users\Application Data\Skype
2008-12-26 00:35 . 2008-12-26 00:35 636,928 --a------ d:\windows\system32\kjwvnqsikr.dll
2008-12-22 19:01 . 2008-12-22 23:50 641 --a------ d:\windows\wincmd.ini
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\UC.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\RAR.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\PKZIP.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\PKUNZIP.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\NOCLOSE.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\LHA.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\ARJ.PIF
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\program files\iTunes
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\program files\iPod
2008-12-22 18:41 . 2008-12-22 18:45 <DIR> d-------- d:\documents and settings\Anna\Application Data\Apple Computer
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 18:41 . 2008-04-17 13:12 107,368 --a------ d:\windows\system32\GEARAspi.dll
2008-12-22 18:41 . 2008-04-17 13:12 15,464 --a------ d:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 18:40 . 2008-12-22 18:40 <DIR> d-------- d:\program files\Bonjour
2008-12-22 18:39 . 2008-12-22 18:40 <DIR> d-------- d:\program files\QuickTime
2008-12-22 18:39 . 2008-12-22 18:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\Apple Computer
2008-12-22 18:38 . 2008-12-22 18:38 <DIR> d-------- d:\program files\Apple Software Update
2008-12-22 18:37 . 2008-12-22 18:41 <DIR> d-------- d:\program files\Common Files\Apple
2008-12-22 18:37 . 2008-11-07 14:23 32,000 --a------ d:\windows\system32\drivers\usbaapl.sys
2008-12-22 18:25 . 2008-04-14 04:42 159,232 --a------ d:\windows\system32\ptpusd.dll
2008-12-22 18:25 . 2008-04-13 23:15 15,104 --a------ d:\windows\system32\drivers\usbscan.sys
2008-12-22 18:25 . 2008-04-13 23:15 15,104 --a------ d:\windows\system32\dllcache\usbscan.sys
2008-12-22 18:25 . 2001-08-17 21:36 5,632 --a------ d:\windows\system32\ptpusb.dll
2008-12-22 00:37 . 2008-12-22 00:37 268 --ah----- D:\sqmdata08.sqm
2008-12-22 00:37 . 2008-12-22 00:37 244 --ah----- D:\sqmnoopt08.sqm
2008-12-21 01:18 . 2008-12-21 01:18 51,200 --a------ d:\windows\system32\slrifngw.dll
2008-12-21 01:15 . 2008-12-21 01:15 51,200 --a------ d:\windows\system32\qvxmwryi.dll
2008-12-21 01:11 . 2008-12-21 01:11 51,200 --a------ d:\windows\system32\hllqygec.dll
2008-12-20 01:13 . 2008-12-20 01:13 51,200 --a------ d:\windows\system32\susfyrla.dll
2008-12-20 01:10 . 2008-12-20 01:10 51,200 --a------ d:\windows\system32\lypswpex.dll
2008-12-19 01:14 . 2008-12-19 01:14 51,200 --a------ d:\windows\system32\gvhroiom.dll
2008-12-18 01:09 . 2008-12-18 01:09 51,200 --a------ d:\windows\system32\knrprtoe.dll
2008-12-18 01:09 . 2008-12-18 01:09 51,200 --a------ d:\windows\system32\hwtoyrho.dll
2008-12-16 01:39 . 2008-12-16 01:40 51,200 --a------ d:\windows\system32\hclemdcn.dll
2008-12-15 09:18 . 2008-12-15 09:18 51,200 --a------ d:\windows\system32\irtligel.dll
2008-12-15 09:16 . 2008-12-15 09:16 51,200 --a------ d:\windows\system32\tvnrmmgb.dll
2008-12-15 09:16 . 2008-12-15 09:16 51,200 --a------ d:\windows\system32\jofrofxe.dll
2008-12-14 12:15 . 2008-12-14 12:15 51,200 --a------ d:\windows\system32\tylgmmqv.dll
2008-12-14 12:14 . 2008-12-14 12:14 51,200 --a------ d:\windows\system32\mxmrnenj.dll
2008-12-13 11:45 . 2008-12-13 11:45 51,200 --a------ d:\windows\system32\kmtouuyp.dll
2008-12-13 11:42 . 2008-12-13 11:42 51,200 --a------ d:\windows\system32\uukmojiv.dll
2008-12-12 11:41 . 2008-12-12 11:41 51,200 --a------ d:\windows\system32\ykutaadh.dll
2008-12-12 11:38 . 2008-12-12 11:38 51,200 --a------ d:\windows\system32\geaqgxyt.dll
2008-12-11 08:49 . 2008-12-11 08:49 51,200 --a------ d:\windows\system32\wygoebnk.dll
2008-12-11 08:46 . 2008-12-11 08:46 51,200 --a------ d:\windows\system32\xtjonjxq.dll
2008-12-10 12:16 . 2008-12-10 12:16 51,200 --a------ d:\windows\system32\qimvajep.dll
2008-12-10 11:53 . 2008-12-10 11:53 51,200 --a------ d:\windows\system32\gyjjmsru.dll
2008-12-09 11:49 . 2008-12-09 11:49 51,200 --a------ d:\windows\system32\qoiwobxr.dll
2008-12-09 11:40 . 2008-12-09 11:40 51,200 --a------ d:\windows\system32\cyqusltb.dll
2008-12-09 11:37 . 2008-12-09 11:37 51,200 --a------ d:\windows\system32\kwxprnla.dll
2008-12-09 11:35 . 2008-12-09 11:35 51,200 --a------ d:\windows\system32\qtacbavw.dll
2008-12-07 22:21 . 2008-12-07 22:21 51,200 --a------ d:\windows\system32\pgcsopat.dll
2008-12-07 22:19 . 2008-12-07 22:19 51,200 --a------ d:\windows\system32\colpshrk.dll
2008-12-07 02:33 . 2008-12-07 02:33 51,200 --a------ d:\windows\system32\jddyvhoy.dll
2008-12-07 02:32 . 2008-12-07 02:32 51,200 --a------ d:\windows\system32\alwykyfr.dll
2008-12-06 02:30 . 2008-12-06 02:31 51,200 --a------ d:\windows\system32\xtelsdwg.dll
2008-12-06 01:39 . 2008-12-06 01:39 <DIR> d-------- d:\windows\Sun
2008-12-06 01:37 . 2008-12-06 01:37 410,984 --a------ d:\windows\system32\deploytk.dll
2008-12-06 01:37 . 2008-12-06 01:37 73,728 --a------ d:\windows\system32\javacpl.cpl
2008-12-06 01:36 . 2008-12-06 01:36 <DIR> d-------- d:\program files\Java
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\system32\xircom
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\system32\oobe
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\srchasst
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\program files\microsoft frontpage
2008-12-06 01:18 . 2008-12-06 01:18 51,200 --a------ d:\windows\system32\bsnrhxud.dll
2008-12-06 01:09 . 2008-12-06 01:09 51,200 --a------ d:\windows\system32\owjeahon.dll
2008-12-06 01:05 . 2008-12-06 01:05 <DIR> d-------- d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-12-05 02:14 . 2008-12-05 02:14 <DIR> d-------- d:\program files\Trend Micro
2008-12-04 19:44 . 2008-12-04 19:44 <DIR> d-------- d:\program files\Lavasoft
2008-12-04 19:44 . 2008-12-06 01:05 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 19:44 . 2008-12-04 19:44 51,200 --a------ d:\windows\system32\wjpuikxj.dll
2008-12-04 19:44 . 2008-12-04 19:44 51,200 --a------ d:\windows\system32\mxaqevdu.dll
2008-12-04 19:41 . 2008-12-04 19:41 51,200 --a------ d:\windows\system32\kbfyqeol.dll
2008-12-04 19:41 . 2008-12-04 19:41 51,200 --a------ d:\windows\system32\bgxhvfpx.dll
2008-12-04 19:39 . 2008-12-26 17:28 68,513 --a------ d:\windows\system32\kjwvnqsikr.dll-uninst.exe
2008-12-04 19:38 . 2008-12-04 19:38 51,200 --a------ d:\windows\system32\nsemnrxk.dll
2008-12-04 19:38 . 2008-12-04 19:38 51,200 --a------ d:\windows\system32\jgmpjsqb.dll
2008-12-04 19:35 . 2008-12-04 19:35 51,200 --a------ d:\windows\system32\dogibwke.dll
2008-12-04 19:35 . 2008-12-04 19:35 51,200 --a------ d:\windows\system32\ddexcefj.dll
2008-12-04 19:32 . 2008-12-04 19:32 51,200 --a------ d:\windows\system32\xupeelkc.dll
2008-12-04 19:32 . 2008-12-04 19:32 51,200 --a------ d:\windows\system32\reobxaob.dll
2008-12-04 19:29 . 2008-12-04 19:29 51,200 --a------ d:\windows\system32\phixiknd.dll
2008-12-04 19:29 . 2008-12-04 19:29 51,200 --a------ d:\windows\system32\bnnkhwpl.dll
2008-12-04 19:26 . 2008-12-04 19:26 51,200 --a------ d:\windows\system32\ogvldtjr.dll
2008-12-04 19:26 . 2008-12-04 19:26 51,200 --a------ d:\windows\system32\fdtnvssh.dll
2008-12-04 19:23 . 2008-12-04 19:23 51,200 --a------ d:\windows\system32\ooricfdv.dll
2008-12-04 19:23 . 2008-12-04 19:23 51,200 --a------ d:\windows\system32\hoxpovgo.dll
2008-12-04 19:20 . 2008-12-04 19:20 51,200 --a------ d:\windows\system32\uioltgcc.dll
2008-12-04 19:20 . 2008-12-04 19:20 51,200 --a------ d:\windows\system32\ggkpmggt.dll
2008-12-04 19:17 . 2008-12-04 19:17 51,200 --a------ d:\windows\system32\lovoywxt.dll
2008-12-04 19:17 . 2008-12-04 19:17 51,200 --a------ d:\windows\system32\arokfksx.dll
2008-12-04 19:14 . 2008-12-04 19:14 51,200 --a------ d:\windows\system32\ppvrxhti.dll
2008-12-04 19:14 . 2008-12-04 19:14 51,200 --a------ d:\windows\system32\mcerpfqm.dll
2008-12-04 19:11 . 2008-12-04 19:11 51,200 --a------ d:\windows\system32\nonnjgyj.dll
2008-12-04 19:11 . 2008-12-04 19:11 51,200 --a------ d:\windows\system32\bmlobwrj.dll
2008-12-04 19:08 . 2008-12-04 19:08 51,200 --a------ d:\windows\system32\ynslpgwa.dll
2008-12-04 19:08 . 2008-12-04 19:08 51,200 --a------ d:\windows\system32\nnnqwres.dll
2008-12-04 19:05 . 2008-12-04 19:05 51,200 --a------ d:\windows\system32\umkrmsyv.dll
2008-12-04 19:05 . 2008-12-04 19:05 51,200 --a------ d:\windows\system32\ipjiegwn.dll
2008-12-04 19:02 . 2008-12-04 19:02 51,200 --a------ d:\windows\system32\ypcplkpl.dll
2008-12-04 19:02 . 2008-12-04 19:02 51,200 --a------ d:\windows\system32\vvrytbsp.dll
2008-12-04 18:59 . 2008-12-04 18:59 51,200 --a------ d:\windows\system32\tqoxeirx.dll
2008-12-04 18:59 . 2008-12-04 18:59 51,200 --a------ d:\windows\system32\rdlidiih.dll
2008-12-04 18:56 . 2008-12-04 18:56 51,200 --a------ d:\windows\system32\dlmbytoo.dll
2008-12-04 18:56 . 2008-12-04 18:56 51,200 --a------ d:\windows\system32\dklmxftr.dll
2008-12-04 18:53 . 2008-12-04 18:53 51,200 --a------ d:\windows\system32\hgnqfqpu.dll
2008-12-04 18:53 . 2008-12-04 18:53 51,200 --a------ d:\windows\system32\comjygqy.dll
2008-12-04 18:50 . 2008-12-04 18:50 51,200 --a------ d:\windows\system32\nswcowqx.dll
2008-12-04 18:50 . 2008-12-04 18:50 51,200 --a------ d:\windows\system32\ivoyllgd.dll
2008-12-04 18:47 . 2008-12-04 18:47 51,200 --a------ d:\windows\system32\xukerfnb.dll
2008-12-04 18:47 . 2008-12-04 18:47 51,200 --a------ d:\windows\system32\lgjdcxpq.dll
2008-12-04 18:44 . 2008-12-04 18:44 51,200 --a------ d:\windows\system32\towjtyfm.dll
2008-12-04 18:39 . 2008-12-04 18:39 <DIR> d-------- d:\windows\system32\evp
2008-12-04 18:39 . 2008-12-04 20:09 <DIR> d-------- d:\windows\system32\AT
2008-12-04 18:39 . 2008-12-04 18:39 548,928 --a------ d:\windows\system32\scntssdl.exe
2008-12-04 18:39 . 2008-12-04 18:39 153,425 --a------ d:\windows\system32\g44.exe
2008-12-04 18:39 . 2008-12-04 18:39 47,584 --a------ d:\windows\system32\whjapchkuhuuhu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 12:50 --------- d-----w d:\documents and settings\Anna\Application Data\uTorrent
2008-12-23 09:28 --------- d-----w d:\documents and settings\All Users\Application Data\Soulseek
2008-12-19 14:23 --------- d-----w d:\program files\Ares
2008-12-04 08:44 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-03 15:38 --------- d-----w d:\program files\Ventrilo
2008-11-25 13:29 --------- d-----w d:\program files\Combined Community Codec Pack
2008-11-24 00:56 --------- d-----w d:\program files\Curse
2008-11-22 22:32 --------- d-----w d:\documents and settings\All Users\Application Data\Blizzard
2008-11-22 18:10 --------- d-----w d:\program files\MSXML 4.0
2008-11-22 18:10 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-09 05:38 --------- d-----w d:\program files\Common Files\3DO Shared
2008-11-09 05:38 --------- d-----w d:\program files\3DO
2008-11-09 03:57 --------- d-----w d:\documents and settings\Anna\Application Data\Ahead
2008-11-08 09:41 --------- d-----w d:\program files\DAEMON Tools Lite
2008-11-08 09:41 --------- d-----w d:\documents and settings\Anna\Application Data\DAEMON Tools
2008-11-08 09:25 --------- d-----w d:\program files\DAEMON Tools Pro
2008-11-08 08:25 --------- d-----w d:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-08 08:23 717,296 ----a-w d:\windows\system32\drivers\sptd.sys
2008-11-08 08:23 --------- d-----w d:\documents and settings\Anna\Application Data\DAEMON Tools Pro
2008-10-31 10:52 --------- d-----w d:\documents and settings\Administrator\Application Data\uTorrent
2008-10-29 23:39 --------- d-----w d:\program files\Soulseek
2008-10-29 23:36 --------- d-----w d:\program files\SoulseekNS
2008-05-05 20:14 34,048 ----a-w d:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 45,056 ----a-w d:\program files\opera\program\plugins\upd62int.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_ 1.22.00.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 07:41:48 102,400 ----a-r d:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2008-12-22 07:38:24 27,136 ----a-r d:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-12-22 07:40:35 86,016 ----a-r d:\windows\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe
+ 2008-08-28 23:18:58 87,336 ----a-w d:\windows\system32\dns-sd.exe
+ 2008-08-28 22:53:50 61,440 ----a-w d:\windows\system32\dnssd.dll
+ 2008-04-17 02:12:54 107,368 -c--a-w d:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 02:12:54 15,464 -c--a-w d:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2008-11-07 03:23:30 32,000 -c--a-w d:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
+ 2008-12-05 14:37:02 144,792 ----a-w d:\windows\system32\java.exe
+ 2008-12-05 14:37:02 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2008-12-05 14:37:02 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2008-12-29 02:37:50 16,384 ----atw d:\windows\temp\Perflib_Perfdata_698.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0F2787F-A4E0-CDC5-8EE1-41EAF315509C}]
2008-12-26 00:35 636928 --a------ d:\windows\system32\kjwvnqsikr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-25 490952]
"CurseClient"="d:\program files\Curse\CurseClient.exe" [2008-10-11 4789760]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-17 13529088]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-17 86016]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-04-02 36352]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-05-17 d:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-05-06 d:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^Deewoo.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\Deewoo.lnk
backup=d:\windows\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^DW_Start.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\DW_Start.lnk
backup=d:\windows\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=d:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5088859e]
d:\windows\system32\txlhfnuy.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
--a------ 2007-09-06 21:19 1426432 d:\program files\ASUS\Ai Suite\AiNap\AiNap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpu Level Up help]
--a------ 2007-09-11 20:32 880640 d:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPU Power Monitor]
--a------ 2007-10-16 21:35 626176 d:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch As Cmd Runner]
--a------ 2007-04-12 03:34 376832 d:\program files\ASUS\AI Direct Link\AsCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Direct Link]
--a------ 2007-08-20 21:42 1209856 d:\program files\ASUS\AI Direct Link\AsShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-04-11 01:52 16861184 d:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\games\\Steam\\steamapps\\teasr61@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\Curse\\CurseClient.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"d:\\Program Files\\SoulseekNS\\slsk.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{763e9e9a-44a3-11dd-bb76-df9d78834542}]
\Shell\Auto\command - H:\Start.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{794db6e1-a60c-11dd-bbd3-001e8cd29b2d}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{6f597e5c-53c2-439a-92da-72ce3781f5a0} - d:\windows\system32\jruggo.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - d:\documents and settings\Anna\Application Data\Mozilla\Firefox\Profiles\aydocz0q.default\
FF - prefs.js: browser.startup.homepage - www.bigpond.com
FF - component: d:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 13:37:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(852)
d:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\rundll32.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\wdfmgr.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
d:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-12-29 13:38:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 02:38:50
ComboFix2.txt 2008-12-05 14:22:21

Pre-Run: 63,493,947,392 bytes free
Post-Run: 63,546,540,032 bytes free

417




HIJACK THIS LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:36 PM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Curse\CurseClient.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {B0F2787F-A4E0-CDC5-8EE1-41EAF315509C} - D:\WINDOWS\system32\kjwvnqsikr.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CurseClient] D:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227374627256
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - D:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6658 bytes



I should add that after combofix ran I didn't have any of the problems with errors at startup.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 28 December 2008 - 10:41 PM

Hello,

Good to know it's better, but still some to do:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

File::
d:\windows\system32\scntssdl.exe
d:\windows\system32\g44.exe
d:\windows\system32\whjapchkuhuuhu.exe
d:\windows\system32\wjpuikxj.dll
2d:\windows\system32\mxaqevdu.dll
d:\windows\system32\kbfyqeol.dll
d:\windows\system32\bgxhvfpx.dll
d:\windows\system32\kjwvnqsikr.dll-uninst.exe
d:\windows\system32\nsemnrxk.dll
d:\windows\system32\jgmpjsqb.dll
d:\windows\system32\dogibwke.dll
d:\windows\system32\ddexcefj.dll
d:\windows\system32\xupeelkc.dll
d:\windows\system32\reobxaob.dll
d:\windows\system32\phixiknd.dll
d:\windows\system32\bnnkhwpl.dll
d:\windows\system32\ogvldtjr.dll
d:\windows\system32\fdtnvssh.dll
d:\windows\system32\ooricfdv.dll
d:\windows\system32\hoxpovgo.dll
d:\windows\system32\uioltgcc.dll
d:\windows\system32\ggkpmggt.dll
d:\windows\system32\lovoywxt.dll
d:\windows\system32\arokfksx.dll
d:\windows\system32\ppvrxhti.dll
d:\windows\system32\mcerpfqm.dll
d:\windows\system32\nonnjgyj.dll
d:\windows\system32\bmlobwrj.dll
d:\windows\system32\ynslpgwa.dll
d:\windows\system32\nnnqwres.dll
d:\windows\system32\umkrmsyv.dll
d:\windows\system32\ipjiegwn.dll
d:\windows\system32\ypcplkpl.dll
d:\windows\system32\vvrytbsp.dll
d:\windows\system32\tqoxeirx.dll
d:\windows\system32\rdlidiih.dll
d:\windows\system32\dlmbytoo.dll
d:\windows\system32\dklmxftr.dll
d:\windows\system32\hgnqfqpu.dll
d:\windows\system32\comjygqy.dll
d:\windows\system32\nswcowqx.dll
d:\windows\system32\ivoyllgd.dll
d:\windows\system32\xukerfnb.dll
d:\windows\system32\lgjdcxpq.dll
d:\windows\system32\towjtyfm.dll
d:\windows\system32\bsnrhxud.dll
d:\windows\system32\owjeahon.dll
d:\windows\system32\slrifngw.dll
d:\windows\system32\qvxmwryi.dll
d:\windows\system32\hllqygec.dll
d:\windows\system32\susfyrla.dll
d:\windows\system32\lypswpex.dll
d:\windows\system32\gvhroiom.dll
d:\windows\system32\knrprtoe.dll
d:\windows\system32\hwtoyrho.dll
d:\windows\system32\hclemdcn.dll
d:\windows\system32\irtligel.dll
d:\windows\system32\tvnrmmgb.dll
d:\windows\system32\jofrofxe.dll
d:\windows\system32\tylgmmqv.dll
d:\windows\system32\mxmrnenj.dll
d:\windows\system32\kmtouuyp.dll
d:\windows\system32\uukmojiv.dll
d:\windows\system32\ykutaadh.dll
d:\windows\system32\geaqgxyt.dll
d:\windows\system32\wygoebnk.dll
d:\windows\system32\xtjonjxq.dll
d:\windows\system32\qimvajep.dll
d:\windows\system32\gyjjmsru.dll
d:\windows\system32\qoiwobxr.dll
d:\windows\system32\cyqusltb.dll
d:\windows\system32\kwxprnla.dll
d:\windows\system32\qtacbavw.dll
d:\windows\system32\pgcsopat.dll
d:\windows\system32\colpshrk.dll
d:\windows\system32\jddyvhoy.dll
d:\windows\system32\alwykyfr.dll
d:\windows\system32\xtelsdwg.dll
d:\windows\system32\kjwvnqsikr.dll

Folder::
d:\windows\system32\evp
d:\windows\system32\AT
d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Zaij

Zaij
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 29 December 2008 - 11:39 AM

ComboFix 08-12-28.01 - Anna 2008-12-30 3:35:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1670 [GMT 11:00]
Running from: d:\documents and settings\Anna\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Anna\Desktop\CFScript.txt
* Created a new restore point

FILE ::
2d:\windows\system32\mxaqevdu.dll
d:\windows\system32\g44.exe
d:\windows\system32\scntssdl.exe
d:\windows\system32\whjapchkuhuuhu.exe
d:\windows\system32\wjpuikxj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustCall64.dll
d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCall.dll
d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla.dll
d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla1.dll
d:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseData.ini
d:\windows\system32\AT
d:\windows\system32\AT\MTK63G.exe
d:\windows\system32\evp
d:\windows\system32\evp\peco85IV.exe
d:\windows\system32\g44.exe
d:\windows\system32\scntssdl.exe
d:\windows\system32\whjapchkuhuuhu.exe
d:\windows\system32\wjpuikxj.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-30 03:33 . 2008-12-30 03:34 <DIR> d-------- D:\32788R22FWJFW
2008-12-27 19:59 . 2008-12-30 00:32 <DIR> d-------- d:\documents and settings\Anna\Application Data\skypePM
2008-12-27 19:59 . 2008-12-27 19:59 56 --ah----- d:\windows\system32\ezsidmv.dat
2008-12-27 19:58 . 2008-12-27 19:58 <DIR> d-------- d:\program files\Skype
2008-12-27 19:58 . 2008-12-27 19:58 <DIR> d-------- d:\program files\Common Files\Skype
2008-12-27 19:58 . 2008-12-30 03:32 <DIR> d-------- d:\documents and settings\Anna\Application Data\Skype
2008-12-27 19:57 . 2008-12-27 19:58 <DIR> d-------- d:\documents and settings\All Users\Application Data\Skype
2008-12-26 00:35 . 2008-12-26 00:35 636,928 --a------ d:\windows\system32\kjwvnqsikr.dll
2008-12-22 19:01 . 2008-12-22 23:50 641 --a------ d:\windows\wincmd.ini
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\UC.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\RAR.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\PKZIP.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\PKUNZIP.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\NOCLOSE.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\LHA.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\ARJ.PIF
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\program files\iTunes
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\program files\iPod
2008-12-22 18:41 . 2008-12-22 18:45 <DIR> d-------- d:\documents and settings\Anna\Application Data\Apple Computer
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 18:41 . 2008-04-17 13:12 107,368 --a------ d:\windows\system32\GEARAspi.dll
2008-12-22 18:41 . 2008-04-17 13:12 15,464 --a------ d:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 18:40 . 2008-12-22 18:40 <DIR> d-------- d:\program files\Bonjour
2008-12-22 18:39 . 2008-12-22 18:40 <DIR> d-------- d:\program files\QuickTime
2008-12-22 18:39 . 2008-12-22 18:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\Apple Computer
2008-12-22 18:38 . 2008-12-22 18:38 <DIR> d-------- d:\program files\Apple Software Update
2008-12-22 18:37 . 2008-12-22 18:41 <DIR> d-------- d:\program files\Common Files\Apple
2008-12-22 18:37 . 2008-11-07 14:23 32,000 --a------ d:\windows\system32\drivers\usbaapl.sys
2008-12-22 18:25 . 2008-04-14 04:42 159,232 --a------ d:\windows\system32\ptpusd.dll
2008-12-22 18:25 . 2008-04-13 23:15 15,104 --a------ d:\windows\system32\drivers\usbscan.sys
2008-12-22 18:25 . 2008-04-13 23:15 15,104 --a------ d:\windows\system32\dllcache\usbscan.sys
2008-12-22 18:25 . 2001-08-17 21:36 5,632 --a------ d:\windows\system32\ptpusb.dll
2008-12-22 00:37 . 2008-12-22 00:37 268 --ah----- D:\sqmdata08.sqm
2008-12-22 00:37 . 2008-12-22 00:37 244 --ah----- D:\sqmnoopt08.sqm
2008-12-21 01:18 . 2008-12-21 01:18 51,200 --a------ d:\windows\system32\slrifngw.dll
2008-12-21 01:15 . 2008-12-21 01:15 51,200 --a------ d:\windows\system32\qvxmwryi.dll
2008-12-21 01:11 . 2008-12-21 01:11 51,200 --a------ d:\windows\system32\hllqygec.dll
2008-12-20 01:13 . 2008-12-20 01:13 51,200 --a------ d:\windows\system32\susfyrla.dll
2008-12-20 01:10 . 2008-12-20 01:10 51,200 --a------ d:\windows\system32\lypswpex.dll
2008-12-19 01:14 . 2008-12-19 01:14 51,200 --a------ d:\windows\system32\gvhroiom.dll
2008-12-18 01:09 . 2008-12-18 01:09 51,200 --a------ d:\windows\system32\knrprtoe.dll
2008-12-18 01:09 . 2008-12-18 01:09 51,200 --a------ d:\windows\system32\hwtoyrho.dll
2008-12-16 01:39 . 2008-12-16 01:40 51,200 --a------ d:\windows\system32\hclemdcn.dll
2008-12-15 09:18 . 2008-12-15 09:18 51,200 --a------ d:\windows\system32\irtligel.dll
2008-12-15 09:16 . 2008-12-15 09:16 51,200 --a------ d:\windows\system32\tvnrmmgb.dll
2008-12-15 09:16 . 2008-12-15 09:16 51,200 --a------ d:\windows\system32\jofrofxe.dll
2008-12-14 12:15 . 2008-12-14 12:15 51,200 --a------ d:\windows\system32\tylgmmqv.dll
2008-12-14 12:14 . 2008-12-14 12:14 51,200 --a------ d:\windows\system32\mxmrnenj.dll
2008-12-13 11:45 . 2008-12-13 11:45 51,200 --a------ d:\windows\system32\kmtouuyp.dll
2008-12-13 11:42 . 2008-12-13 11:42 51,200 --a------ d:\windows\system32\uukmojiv.dll
2008-12-12 11:41 . 2008-12-12 11:41 51,200 --a------ d:\windows\system32\ykutaadh.dll
2008-12-12 11:38 . 2008-12-12 11:38 51,200 --a------ d:\windows\system32\geaqgxyt.dll
2008-12-11 08:49 . 2008-12-11 08:49 51,200 --a------ d:\windows\system32\wygoebnk.dll
2008-12-11 08:46 . 2008-12-11 08:46 51,200 --a------ d:\windows\system32\xtjonjxq.dll
2008-12-10 12:16 . 2008-12-10 12:16 51,200 --a------ d:\windows\system32\qimvajep.dll
2008-12-10 11:53 . 2008-12-10 11:53 51,200 --a------ d:\windows\system32\gyjjmsru.dll
2008-12-09 11:49 . 2008-12-09 11:49 51,200 --a------ d:\windows\system32\qoiwobxr.dll
2008-12-09 11:40 . 2008-12-09 11:40 51,200 --a------ d:\windows\system32\cyqusltb.dll
2008-12-09 11:37 . 2008-12-09 11:37 51,200 --a------ d:\windows\system32\kwxprnla.dll
2008-12-09 11:35 . 2008-12-09 11:35 51,200 --a------ d:\windows\system32\qtacbavw.dll
2008-12-07 22:21 . 2008-12-07 22:21 51,200 --a------ d:\windows\system32\pgcsopat.dll
2008-12-07 22:19 . 2008-12-07 22:19 51,200 --a------ d:\windows\system32\colpshrk.dll
2008-12-07 02:33 . 2008-12-07 02:33 51,200 --a------ d:\windows\system32\jddyvhoy.dll
2008-12-07 02:32 . 2008-12-07 02:32 51,200 --a------ d:\windows\system32\alwykyfr.dll
2008-12-06 02:30 . 2008-12-06 02:31 51,200 --a------ d:\windows\system32\xtelsdwg.dll
2008-12-06 01:39 . 2008-12-06 01:39 <DIR> d-------- d:\windows\Sun
2008-12-06 01:37 . 2008-12-06 01:37 410,984 --a------ d:\windows\system32\deploytk.dll
2008-12-06 01:37 . 2008-12-06 01:37 73,728 --a------ d:\windows\system32\javacpl.cpl
2008-12-06 01:36 . 2008-12-06 01:36 <DIR> d-------- d:\program files\Java
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\system32\xircom
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\system32\oobe
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\srchasst
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\program files\microsoft frontpage
2008-12-06 01:18 . 2008-12-06 01:18 51,200 --a------ d:\windows\system32\bsnrhxud.dll
2008-12-06 01:09 . 2008-12-06 01:09 51,200 --a------ d:\windows\system32\owjeahon.dll
2008-12-05 02:14 . 2008-12-05 02:14 <DIR> d-------- d:\program files\Trend Micro
2008-12-04 19:44 . 2008-12-04 19:44 <DIR> d-------- d:\program files\Lavasoft
2008-12-04 19:44 . 2008-12-06 01:05 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 19:44 . 2008-12-04 19:44 51,200 --a------ d:\windows\system32\mxaqevdu.dll
2008-12-04 19:41 . 2008-12-04 19:41 51,200 --a------ d:\windows\system32\kbfyqeol.dll
2008-12-04 19:41 . 2008-12-04 19:41 51,200 --a------ d:\windows\system32\bgxhvfpx.dll
2008-12-04 19:39 . 2008-12-26 17:28 68,513 --a------ d:\windows\system32\kjwvnqsikr.dll-uninst.exe
2008-12-04 19:38 . 2008-12-04 19:38 51,200 --a------ d:\windows\system32\nsemnrxk.dll
2008-12-04 19:38 . 2008-12-04 19:38 51,200 --a------ d:\windows\system32\jgmpjsqb.dll
2008-12-04 19:35 . 2008-12-04 19:35 51,200 --a------ d:\windows\system32\dogibwke.dll
2008-12-04 19:35 . 2008-12-04 19:35 51,200 --a------ d:\windows\system32\ddexcefj.dll
2008-12-04 19:32 . 2008-12-04 19:32 51,200 --a------ d:\windows\system32\xupeelkc.dll
2008-12-04 19:32 . 2008-12-04 19:32 51,200 --a------ d:\windows\system32\reobxaob.dll
2008-12-04 19:29 . 2008-12-04 19:29 51,200 --a------ d:\windows\system32\phixiknd.dll
2008-12-04 19:29 . 2008-12-04 19:29 51,200 --a------ d:\windows\system32\bnnkhwpl.dll
2008-12-04 19:26 . 2008-12-04 19:26 51,200 --a------ d:\windows\system32\ogvldtjr.dll
2008-12-04 19:26 . 2008-12-04 19:26 51,200 --a------ d:\windows\system32\fdtnvssh.dll
2008-12-04 19:23 . 2008-12-04 19:23 51,200 --a------ d:\windows\system32\ooricfdv.dll
2008-12-04 19:23 . 2008-12-04 19:23 51,200 --a------ d:\windows\system32\hoxpovgo.dll
2008-12-04 19:20 . 2008-12-04 19:20 51,200 --a------ d:\windows\system32\uioltgcc.dll
2008-12-04 19:20 . 2008-12-04 19:20 51,200 --a------ d:\windows\system32\ggkpmggt.dll
2008-12-04 19:17 . 2008-12-04 19:17 51,200 --a------ d:\windows\system32\lovoywxt.dll
2008-12-04 19:17 . 2008-12-04 19:17 51,200 --a------ d:\windows\system32\arokfksx.dll
2008-12-04 19:14 . 2008-12-04 19:14 51,200 --a------ d:\windows\system32\ppvrxhti.dll
2008-12-04 19:14 . 2008-12-04 19:14 51,200 --a------ d:\windows\system32\mcerpfqm.dll
2008-12-04 19:11 . 2008-12-04 19:11 51,200 --a------ d:\windows\system32\nonnjgyj.dll
2008-12-04 19:11 . 2008-12-04 19:11 51,200 --a------ d:\windows\system32\bmlobwrj.dll
2008-12-04 19:08 . 2008-12-04 19:08 51,200 --a------ d:\windows\system32\ynslpgwa.dll
2008-12-04 19:08 . 2008-12-04 19:08 51,200 --a------ d:\windows\system32\nnnqwres.dll
2008-12-04 19:05 . 2008-12-04 19:05 51,200 --a------ d:\windows\system32\umkrmsyv.dll
2008-12-04 19:05 . 2008-12-04 19:05 51,200 --a------ d:\windows\system32\ipjiegwn.dll
2008-12-04 19:02 . 2008-12-04 19:02 51,200 --a------ d:\windows\system32\ypcplkpl.dll
2008-12-04 19:02 . 2008-12-04 19:02 51,200 --a------ d:\windows\system32\vvrytbsp.dll
2008-12-04 18:59 . 2008-12-04 18:59 51,200 --a------ d:\windows\system32\tqoxeirx.dll
2008-12-04 18:59 . 2008-12-04 18:59 51,200 --a------ d:\windows\system32\rdlidiih.dll
2008-12-04 18:56 . 2008-12-04 18:56 51,200 --a------ d:\windows\system32\dlmbytoo.dll
2008-12-04 18:56 . 2008-12-04 18:56 51,200 --a------ d:\windows\system32\dklmxftr.dll
2008-12-04 18:53 . 2008-12-04 18:53 51,200 --a------ d:\windows\system32\hgnqfqpu.dll
2008-12-04 18:53 . 2008-12-04 18:53 51,200 --a------ d:\windows\system32\comjygqy.dll
2008-12-04 18:50 . 2008-12-04 18:50 51,200 --a------ d:\windows\system32\nswcowqx.dll
2008-12-04 18:50 . 2008-12-04 18:50 51,200 --a------ d:\windows\system32\ivoyllgd.dll
2008-12-04 18:47 . 2008-12-04 18:47 51,200 --a------ d:\windows\system32\xukerfnb.dll
2008-12-04 18:47 . 2008-12-04 18:47 51,200 --a------ d:\windows\system32\lgjdcxpq.dll
2008-12-04 18:44 . 2008-12-04 18:44 51,200 --a------ d:\windows\system32\towjtyfm.dll
2008-12-04 18:38 . 2008-12-04 18:38 64 --a------ d:\documents and settings\Anna\q.bat
2008-12-04 02:40 . 2008-12-04 03:11 <DIR> d-------- d:\documents and settings\Anna\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 12:50 --------- d-----w d:\documents and settings\Anna\Application Data\uTorrent
2008-12-23 09:28 --------- d-----w d:\documents and settings\All Users\Application Data\Soulseek
2008-12-19 14:23 --------- d-----w d:\program files\Ares
2008-12-04 08:44 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-03 15:38 --------- d-----w d:\program files\Ventrilo
2008-11-25 13:29 --------- d-----w d:\program files\Combined Community Codec Pack
2008-11-24 00:56 --------- d-----w d:\program files\Curse
2008-11-22 22:32 --------- d-----w d:\documents and settings\All Users\Application Data\Blizzard
2008-11-22 18:10 --------- d-----w d:\program files\MSXML 4.0
2008-11-22 18:10 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-09 05:38 --------- d-----w d:\program files\Common Files\3DO Shared
2008-11-09 05:38 --------- d-----w d:\program files\3DO
2008-11-09 03:57 --------- d-----w d:\documents and settings\Anna\Application Data\Ahead
2008-11-08 09:41 --------- d-----w d:\program files\DAEMON Tools Lite
2008-11-08 09:41 --------- d-----w d:\documents and settings\Anna\Application Data\DAEMON Tools
2008-11-08 09:25 --------- d-----w d:\program files\DAEMON Tools Pro
2008-11-08 08:25 --------- d-----w d:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-08 08:23 717,296 ----a-w d:\windows\system32\drivers\sptd.sys
2008-11-08 08:23 --------- d-----w d:\documents and settings\Anna\Application Data\DAEMON Tools Pro
2008-10-31 10:52 --------- d-----w d:\documents and settings\Administrator\Application Data\uTorrent
2008-10-29 23:39 --------- d-----w d:\program files\Soulseek
2008-10-29 23:36 --------- d-----w d:\program files\SoulseekNS
2008-10-16 03:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w d:\windows\system32\wups.dll
2008-09-30 05:43 1,286,152 ----a-w d:\windows\system32\msxml4.dll
2008-05-05 20:14 34,048 ----a-w d:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 45,056 ----a-w d:\program files\opera\program\plugins\upd62int.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_ 1.22.00.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 07:41:48 102,400 ----a-r d:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2008-12-22 07:38:24 27,136 ----a-r d:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-12-22 07:40:35 86,016 ----a-r d:\windows\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe
+ 2008-08-28 23:18:58 87,336 ----a-w d:\windows\system32\dns-sd.exe
+ 2008-08-28 22:53:50 61,440 ----a-w d:\windows\system32\dnssd.dll
+ 2008-04-17 02:12:54 107,368 -c--a-w d:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 02:12:54 15,464 -c--a-w d:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2008-11-07 03:23:30 32,000 -c--a-w d:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
+ 2008-12-05 14:37:02 144,792 ----a-w d:\windows\system32\java.exe
+ 2008-12-05 14:37:02 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2008-12-05 14:37:02 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2008-12-29 16:37:19 16,384 ----atw d:\windows\temp\Perflib_Perfdata_61c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0F2787F-A4E0-CDC5-8EE1-41EAF315509C}]
2008-12-26 00:35 636928 --a------ d:\windows\system32\kjwvnqsikr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-25 490952]
"CurseClient"="d:\program files\Curse\CurseClient.exe" [2008-10-11 4789760]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-17 13529088]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-17 86016]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-04-02 36352]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-05-17 d:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-05-06 d:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^Deewoo.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\Deewoo.lnk
backup=d:\windows\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^DW_Start.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\DW_Start.lnk
backup=d:\windows\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=d:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5088859e]
d:\windows\system32\txlhfnuy.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
--a------ 2007-09-06 21:19 1426432 d:\program files\ASUS\Ai Suite\AiNap\AiNap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpu Level Up help]
--a------ 2007-09-11 20:32 880640 d:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPU Power Monitor]
--a------ 2007-10-16 21:35 626176 d:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch As Cmd Runner]
--a------ 2007-04-12 03:34 376832 d:\program files\ASUS\AI Direct Link\AsCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Direct Link]
--a------ 2007-08-20 21:42 1209856 d:\program files\ASUS\AI Direct Link\AsShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-04-11 01:52 16861184 d:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\games\\Steam\\steamapps\\teasr61@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\Curse\\CurseClient.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"d:\\Program Files\\SoulseekNS\\slsk.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{763e9e9a-44a3-11dd-bb76-df9d78834542}]
\Shell\Auto\command - H:\Start.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{794db6e1-a60c-11dd-bbd3-001e8cd29b2d}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - d:\documents and settings\Anna\Application Data\Mozilla\Firefox\Profiles\aydocz0q.default\
FF - prefs.js: browser.startup.homepage - www.bigpond.com
FF - component: d:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 03:37:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(856)
d:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\rundll32.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\wdfmgr.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
d:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-12-30 3:38:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 16:38:17
ComboFix2.txt 2008-12-29 02:38:53
ComboFix3.txt 2008-12-05 14:22:21

Pre-Run: 63,564,521,472 bytes free
Post-Run: 63,516,426,240 bytes free

357






HIJACKTHIS






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:22 AM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Curse\CurseClient.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {B0F2787F-A4E0-CDC5-8EE1-41EAF315509C} - D:\WINDOWS\system32\kjwvnqsikr.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CurseClient] D:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227374627256
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - D:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6691 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 29 December 2008 - 12:34 PM

Hello,

Once more :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

File::
d:\windows\system32\txlhfnuy.dll
d:\documents and settings\Anna\Start Menu\Programs\Startup\DW_Start.lnk
d:\windows\pss\DW_Start.lnkStartup
d:\windows\system32\kjwvnqsikr.dll
d:\windows\system32\mxaqevdu.dll
d:\windows\system32\kbfyqeol.dll
d:\windows\system32\bgxhvfpx.dll
d:\windows\system32\kjwvnqsikr.dll-uninst.exe
d:\windows\system32\nsemnrxk.dll
d:\windows\system32\jgmpjsqb.dll
d:\windows\system32\dogibwke.dll
d:\windows\system32\ddexcefj.dll
d:\windows\system32\xupeelkc.dll
d:\windows\system32\reobxaob.dll
d:\windows\system32\phixiknd.dll
d:\windows\system32\bnnkhwpl.dll
d:\windows\system32\ogvldtjr.dll
d:\windows\system32\fdtnvssh.dll
d:\windows\system32\ooricfdv.dll
d:\windows\system32\hoxpovgo.dll
d:\windows\system32\uioltgcc.dll
d:\windows\system32\ggkpmggt.dll
d:\windows\system32\lovoywxt.dll
d:\windows\system32\arokfksx.dll
d:\windows\system32\ppvrxhti.dll
d:\windows\system32\mcerpfqm.dll
d:\windows\system32\nonnjgyj.dll
d:\windows\system32\bmlobwrj.dll
d:\windows\system32\ynslpgwa.dll
d:\windows\system32\nnnqwres.dll
d:\windows\system32\umkrmsyv.dll
d:\windows\system32\ipjiegwn.dll
d:\windows\system32\ypcplkpl.dll
d:\windows\system32\vvrytbsp.dll
d:\windows\system32\tqoxeirx.dll
d:\windows\system32\rdlidiih.dll
d:\windows\system32\dlmbytoo.dll
d:\windows\system32\dklmxftr.dll
d:\windows\system32\hgnqfqpu.dll
d:\windows\system32\comjygqy.dll
d:\windows\system32\nswcowqx.dll
d:\windows\system32\ivoyllgd.dll
d:\windows\system32\xukerfnb.dll
d:\windows\system32\lgjdcxpq.dll
d:\windows\system32\towjtyfm.dll
d:\windows\system32\bsnrhxud.dll
d:\windows\system32\owjeahon.dll
d:\windows\system32\slrifngw.dll
d:\windows\system32\qvxmwryi.dll
d:\windows\system32\hllqygec.dll
d:\windows\system32\susfyrla.dll
d:\windows\system32\lypswpex.dll
d:\windows\system32\gvhroiom.dll
d:\windows\system32\knrprtoe.dll
d:\windows\system32\hwtoyrho.dll
d:\windows\system32\hclemdcn.dll
d:\windows\system32\irtligel.dll
d:\windows\system32\tvnrmmgb.dll
d:\windows\system32\jofrofxe.dll
d:\windows\system32\tylgmmqv.dll
d:\windows\system32\mxmrnenj.dll
d:\windows\system32\kmtouuyp.dll
d:\windows\system32\uukmojiv.dll
d:\windows\system32\ykutaadh.dll
d:\windows\system32\geaqgxyt.dll
d:\windows\system32\wygoebnk.dll
d:\windows\system32\xtjonjxq.dll
d:\windows\system32\qimvajep.dll
d:\windows\system32\gyjjmsru.dll
d:\windows\system32\qoiwobxr.dll
d:\windows\system32\cyqusltb.dll
d:\windows\system32\kwxprnla.dll
d:\windows\system32\qtacbavw.dll
d:\windows\system32\pgcsopat.dll
d:\windows\system32\colpshrk.dll
d:\windows\system32\jddyvhoy.dll
d:\windows\system32\alwykyfr.dll
d:\windows\system32\xtelsdwg.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5088859e]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0F2787F-A4E0-CDC5-8EE1-41EAF315509C}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. How is it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Zaij

Zaij
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 29 December 2008 - 10:07 PM

ComboFix 08-12-28.01 - Anna 2008-12-30 14:03:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1498 [GMT 11:00]
Running from: d:\documents and settings\Anna\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Anna\Desktop\CFScript.txt
* Created a new restore point

FILE ::
d:\documents and settings\Anna\Start Menu\Programs\Startup\DW_Start.lnk
d:\windows\pss\DW_Start.lnkStartup
d:\windows\system32\alwykyfr.dll
d:\windows\system32\arokfksx.dll
d:\windows\system32\bgxhvfpx.dll
d:\windows\system32\bmlobwrj.dll
d:\windows\system32\bnnkhwpl.dll
d:\windows\system32\bsnrhxud.dll
d:\windows\system32\colpshrk.dll
d:\windows\system32\comjygqy.dll
d:\windows\system32\cyqusltb.dll
d:\windows\system32\ddexcefj.dll
d:\windows\system32\dklmxftr.dll
d:\windows\system32\dlmbytoo.dll
d:\windows\system32\dogibwke.dll
d:\windows\system32\fdtnvssh.dll
d:\windows\system32\geaqgxyt.dll
d:\windows\system32\ggkpmggt.dll
d:\windows\system32\gvhroiom.dll
d:\windows\system32\gyjjmsru.dll
d:\windows\system32\hclemdcn.dll
d:\windows\system32\hgnqfqpu.dll
d:\windows\system32\hllqygec.dll
d:\windows\system32\hoxpovgo.dll
d:\windows\system32\hwtoyrho.dll
d:\windows\system32\ipjiegwn.dll
d:\windows\system32\irtligel.dll
d:\windows\system32\ivoyllgd.dll
d:\windows\system32\jddyvhoy.dll
d:\windows\system32\jgmpjsqb.dll
d:\windows\system32\jofrofxe.dll
d:\windows\system32\kbfyqeol.dll
d:\windows\system32\kjwvnqsikr.dll
d:\windows\system32\kjwvnqsikr.dll-uninst.exe
d:\windows\system32\kmtouuyp.dll
d:\windows\system32\knrprtoe.dll
d:\windows\system32\kwxprnla.dll
d:\windows\system32\lgjdcxpq.dll
d:\windows\system32\lovoywxt.dll
d:\windows\system32\lypswpex.dll
d:\windows\system32\mcerpfqm.dll
d:\windows\system32\mxaqevdu.dll
d:\windows\system32\mxmrnenj.dll
d:\windows\system32\nnnqwres.dll
d:\windows\system32\nonnjgyj.dll
d:\windows\system32\nsemnrxk.dll
d:\windows\system32\nswcowqx.dll
d:\windows\system32\ogvldtjr.dll
d:\windows\system32\ooricfdv.dll
d:\windows\system32\owjeahon.dll
d:\windows\system32\pgcsopat.dll
d:\windows\system32\phixiknd.dll
d:\windows\system32\ppvrxhti.dll
d:\windows\system32\qimvajep.dll
d:\windows\system32\qoiwobxr.dll
d:\windows\system32\qtacbavw.dll
d:\windows\system32\qvxmwryi.dll
d:\windows\system32\rdlidiih.dll
d:\windows\system32\reobxaob.dll
d:\windows\system32\slrifngw.dll
d:\windows\system32\susfyrla.dll
d:\windows\system32\towjtyfm.dll
d:\windows\system32\tqoxeirx.dll
d:\windows\system32\tvnrmmgb.dll
d:\windows\system32\txlhfnuy.dll
d:\windows\system32\tylgmmqv.dll
d:\windows\system32\uioltgcc.dll
d:\windows\system32\umkrmsyv.dll
d:\windows\system32\uukmojiv.dll
d:\windows\system32\vvrytbsp.dll
d:\windows\system32\wygoebnk.dll
d:\windows\system32\xtelsdwg.dll
d:\windows\system32\xtjonjxq.dll
d:\windows\system32\xukerfnb.dll
d:\windows\system32\xupeelkc.dll
d:\windows\system32\ykutaadh.dll
d:\windows\system32\ynslpgwa.dll
d:\windows\system32\ypcplkpl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\pss\DW_Start.lnkStartup
d:\windows\system32\alwykyfr.dll
d:\windows\system32\arokfksx.dll
d:\windows\system32\bgxhvfpx.dll
d:\windows\system32\bmlobwrj.dll
d:\windows\system32\bnnkhwpl.dll
d:\windows\system32\bsnrhxud.dll
d:\windows\system32\colpshrk.dll
d:\windows\system32\comjygqy.dll
d:\windows\system32\cyqusltb.dll
d:\windows\system32\ddexcefj.dll
d:\windows\system32\dklmxftr.dll
d:\windows\system32\dlmbytoo.dll
d:\windows\system32\dogibwke.dll
d:\windows\system32\fdtnvssh.dll
d:\windows\system32\geaqgxyt.dll
d:\windows\system32\ggkpmggt.dll
d:\windows\system32\gvhroiom.dll
d:\windows\system32\gyjjmsru.dll
d:\windows\system32\hclemdcn.dll
d:\windows\system32\hgnqfqpu.dll
d:\windows\system32\hllqygec.dll
d:\windows\system32\hoxpovgo.dll
d:\windows\system32\hwtoyrho.dll
d:\windows\system32\ipjiegwn.dll
d:\windows\system32\irtligel.dll
d:\windows\system32\ivoyllgd.dll
d:\windows\system32\jddyvhoy.dll
d:\windows\system32\jgmpjsqb.dll
d:\windows\system32\jofrofxe.dll
d:\windows\system32\kbfyqeol.dll
d:\windows\system32\kjwvnqsikr.dll-uninst.exe
d:\windows\system32\kjwvnqsikr.dll
d:\windows\system32\kmtouuyp.dll
d:\windows\system32\knrprtoe.dll
d:\windows\system32\kwxprnla.dll
d:\windows\system32\lgjdcxpq.dll
d:\windows\system32\lovoywxt.dll
d:\windows\system32\lypswpex.dll
d:\windows\system32\mcerpfqm.dll
d:\windows\system32\mxaqevdu.dll
d:\windows\system32\mxmrnenj.dll
d:\windows\system32\nnnqwres.dll
d:\windows\system32\nonnjgyj.dll
d:\windows\system32\nsemnrxk.dll
d:\windows\system32\nswcowqx.dll
d:\windows\system32\ogvldtjr.dll
d:\windows\system32\ooricfdv.dll
d:\windows\system32\owjeahon.dll
d:\windows\system32\pgcsopat.dll
d:\windows\system32\phixiknd.dll
d:\windows\system32\ppvrxhti.dll
d:\windows\system32\qimvajep.dll
d:\windows\system32\qoiwobxr.dll
d:\windows\system32\qtacbavw.dll
d:\windows\system32\qvxmwryi.dll
d:\windows\system32\rdlidiih.dll
d:\windows\system32\reobxaob.dll
d:\windows\system32\slrifngw.dll
d:\windows\system32\susfyrla.dll
d:\windows\system32\towjtyfm.dll
d:\windows\system32\tqoxeirx.dll
d:\windows\system32\tvnrmmgb.dll
d:\windows\system32\tylgmmqv.dll
d:\windows\system32\uioltgcc.dll
d:\windows\system32\umkrmsyv.dll
d:\windows\system32\uukmojiv.dll
d:\windows\system32\vvrytbsp.dll
d:\windows\system32\wygoebnk.dll
d:\windows\system32\xtelsdwg.dll
d:\windows\system32\xtjonjxq.dll
d:\windows\system32\xukerfnb.dll
d:\windows\system32\xupeelkc.dll
d:\windows\system32\ykutaadh.dll
d:\windows\system32\ynslpgwa.dll
d:\windows\system32\ypcplkpl.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-27 19:59 . 2008-12-30 03:37 <DIR> d-------- d:\documents and settings\Anna\Application Data\skypePM
2008-12-27 19:59 . 2008-12-27 19:59 56 --ah----- d:\windows\system32\ezsidmv.dat
2008-12-27 19:58 . 2008-12-27 19:58 <DIR> d-------- d:\program files\Skype
2008-12-27 19:58 . 2008-12-27 19:58 <DIR> d-------- d:\program files\Common Files\Skype
2008-12-27 19:58 . 2008-12-30 14:05 <DIR> d-------- d:\documents and settings\Anna\Application Data\Skype
2008-12-27 19:57 . 2008-12-27 19:58 <DIR> d-------- d:\documents and settings\All Users\Application Data\Skype
2008-12-22 19:01 . 2008-12-22 23:50 641 --a------ d:\windows\wincmd.ini
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\UC.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\RAR.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\PKZIP.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\PKUNZIP.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\NOCLOSE.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\LHA.PIF
2008-12-22 19:01 . 2008-08-08 07:04 545 --a------ d:\windows\ARJ.PIF
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\program files\iTunes
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\program files\iPod
2008-12-22 18:41 . 2008-12-22 18:45 <DIR> d-------- d:\documents and settings\Anna\Application Data\Apple Computer
2008-12-22 18:41 . 2008-12-22 18:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 18:41 . 2008-04-17 13:12 107,368 --a------ d:\windows\system32\GEARAspi.dll
2008-12-22 18:41 . 2008-04-17 13:12 15,464 --a------ d:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 18:40 . 2008-12-22 18:40 <DIR> d-------- d:\program files\Bonjour
2008-12-22 18:39 . 2008-12-22 18:40 <DIR> d-------- d:\program files\QuickTime
2008-12-22 18:39 . 2008-12-22 18:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\Apple Computer
2008-12-22 18:38 . 2008-12-22 18:38 <DIR> d-------- d:\program files\Apple Software Update
2008-12-22 18:37 . 2008-12-22 18:41 <DIR> d-------- d:\program files\Common Files\Apple
2008-12-22 18:37 . 2008-11-07 14:23 32,000 --a------ d:\windows\system32\drivers\usbaapl.sys
2008-12-22 18:25 . 2008-04-14 04:42 159,232 --a------ d:\windows\system32\ptpusd.dll
2008-12-22 18:25 . 2008-04-13 23:15 15,104 --a------ d:\windows\system32\drivers\usbscan.sys
2008-12-22 18:25 . 2008-04-13 23:15 15,104 --a------ d:\windows\system32\dllcache\usbscan.sys
2008-12-22 18:25 . 2001-08-17 21:36 5,632 --a------ d:\windows\system32\ptpusb.dll
2008-12-22 00:37 . 2008-12-22 00:37 268 --ah----- D:\sqmdata08.sqm
2008-12-22 00:37 . 2008-12-22 00:37 244 --ah----- D:\sqmnoopt08.sqm
2008-12-06 01:39 . 2008-12-06 01:39 <DIR> d-------- d:\windows\Sun
2008-12-06 01:37 . 2008-12-06 01:37 410,984 --a------ d:\windows\system32\deploytk.dll
2008-12-06 01:37 . 2008-12-06 01:37 73,728 --a------ d:\windows\system32\javacpl.cpl
2008-12-06 01:36 . 2008-12-06 01:36 <DIR> d-------- d:\program files\Java
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\system32\xircom
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\system32\oobe
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\windows\srchasst
2008-12-06 01:21 . 2008-12-06 01:21 <DIR> d-------- d:\program files\microsoft frontpage
2008-12-05 02:14 . 2008-12-05 02:14 <DIR> d-------- d:\program files\Trend Micro
2008-12-04 19:44 . 2008-12-04 19:44 <DIR> d-------- d:\program files\Lavasoft
2008-12-04 19:44 . 2008-12-06 01:05 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 18:38 . 2008-12-04 18:38 64 --a------ d:\documents and settings\Anna\q.bat
2008-12-04 02:40 . 2008-12-04 03:11 <DIR> d-------- d:\documents and settings\Anna\Application Data\Ventrilo
2008-11-24 15:24 . 2008-12-30 14:00 664 --a------ d:\windows\system32\d3d9caps.dat
2008-11-24 11:56 . 2008-11-24 11:56 <DIR> d-------- d:\program files\Curse
2008-11-23 16:26 . 2008-04-13 21:05 20,992 --a------ d:\windows\system32\drivers\RTL8139.sys
2008-11-23 09:32 . 2008-11-23 09:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Blizzard
2008-11-23 05:10 . 2008-11-23 05:10 <DIR> d-------- d:\program files\MSXML 4.0
2008-11-23 04:59 . 2008-10-24 22:21 455,296 --a------ d:\windows\system32\dllcache\mrxsmb.sys
2008-11-23 04:56 . 2008-09-05 04:15 1,106,944 --a------ d:\windows\system32\dllcache\msxml3.dll
2008-11-23 04:56 . 2008-10-16 03:34 337,408 --a------ d:\windows\system32\dllcache\netapi32.dll
2008-11-23 04:56 . 2008-09-08 21:41 333,824 --a------ d:\windows\system32\dllcache\srv.sys
2008-11-23 04:55 . 2008-08-14 21:11 2,189,184 --a------ d:\windows\system32\dllcache\ntoskrnl.exe
2008-11-23 04:55 . 2008-08-14 21:09 2,145,280 --a------ d:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-23 04:55 . 2008-08-14 20:33 2,066,048 --a------ d:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-23 04:55 . 2008-08-14 20:33 2,023,936 --a------ d:\windows\system32\dllcache\ntkrpamp.exe
2008-11-23 04:55 . 2008-09-15 23:12 1,846,400 --a------ d:\windows\system32\dllcache\win32k.sys
2008-11-23 04:55 . 2008-08-14 21:04 138,496 --a------ d:\windows\system32\dllcache\afd.sys
2008-11-23 04:45 . 2008-04-12 06:04 691,712 --a------ d:\windows\system32\dllcache\inetcomm.dll
2008-11-23 04:45 . 2008-05-02 01:33 331,776 --a------ d:\windows\system32\dllcache\msadce.dll
2008-11-23 04:43 . 2006-12-07 16:29 2,374,472 --a------ d:\windows\system32\dllcache\wmvcore.dll
2008-11-23 04:43 . 2008-06-13 22:05 272,128 --------- d:\windows\system32\drivers\bthport.sys
2008-11-23 04:43 . 2008-06-13 22:05 272,128 --a------ d:\windows\system32\dllcache\bthport.sys
2008-11-23 04:42 . 2008-05-09 01:02 203,136 --a------ d:\windows\system32\dllcache\rmcast.sys
2008-11-23 02:19 . 2008-11-23 05:11 <DIR> d--h----- d:\windows\$hf_mig$
2008-11-23 02:19 . 2005-02-25 14:35 22,752 --a------ d:\windows\system32\spupdsvc.exe
2008-11-23 02:16 . 2008-10-16 14:07 23,576 --a------ d:\windows\system32\wuapi.dll.mui
2008-11-19 23:21 . 2008-11-19 23:21 268 --ah----- D:\sqmdata07.sqm
2008-11-19 23:21 . 2008-11-19 23:21 244 --ah----- D:\sqmnoopt07.sqm
2008-11-19 22:04 . 2008-11-19 22:04 268 --ah----- D:\sqmdata06.sqm
2008-11-19 22:04 . 2008-11-19 22:04 244 --ah----- D:\sqmnoopt06.sqm
2008-11-19 10:48 . 2008-11-19 10:48 268 --ah----- D:\sqmdata05.sqm
2008-11-19 10:48 . 2008-11-19 10:48 244 --ah----- D:\sqmnoopt05.sqm
2008-11-19 00:31 . 2008-11-19 00:31 268 --ah----- D:\sqmdata04.sqm
2008-11-19 00:31 . 2008-11-19 00:31 244 --ah----- D:\sqmnoopt04.sqm
2008-11-19 00:28 . 2008-11-19 00:28 268 --ah----- D:\sqmdata03.sqm
2008-11-19 00:28 . 2008-11-19 00:28 244 --ah----- D:\sqmnoopt03.sqm
2008-11-17 22:28 . 2008-11-17 22:28 268 --ah----- D:\sqmdata02.sqm
2008-11-17 22:28 . 2008-11-17 22:28 244 --ah----- D:\sqmnoopt02.sqm
2008-11-16 23:15 . 2008-11-16 23:15 268 --ah----- D:\sqmdata01.sqm
2008-11-16 23:15 . 2008-11-16 23:15 244 --ah----- D:\sqmnoopt01.sqm
2008-11-15 22:28 . 2008-11-15 22:28 268 --ah----- D:\sqmdata00.sqm
2008-11-15 22:28 . 2008-11-15 22:28 244 --ah----- D:\sqmnoopt00.sqm
2008-11-09 14:57 . 2008-11-09 14:57 <DIR> d-------- d:\documents and settings\Anna\Application Data\Ahead
2008-11-09 06:26 . 2008-11-09 16:38 <DIR> d-------- d:\program files\Common Files\3DO Shared
2008-11-09 06:26 . 2008-11-09 16:38 <DIR> d-------- d:\program files\3DO
2008-11-09 06:26 . 2008-11-09 06:26 <DIR> d-------- D:\Games
2008-11-09 06:25 . 1998-10-29 16:45 306,688 --a------ d:\windows\IsUninst.exe
2008-11-08 20:41 . 2008-11-08 20:41 <DIR> d-------- d:\program files\DAEMON Tools Lite
2008-11-08 20:41 . 2008-11-08 20:41 <DIR> d-------- d:\documents and settings\Anna\Application Data\DAEMON Tools
2008-11-08 19:25 . 2008-11-08 20:25 <DIR> d-------- d:\program files\DAEMON Tools Pro
2008-11-08 19:25 . 2008-11-08 19:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-08 19:23 . 2008-11-08 19:23 <DIR> d-------- d:\documents and settings\Anna\Application Data\DAEMON Tools Pro
2008-11-08 19:23 . 2008-11-08 19:23 717,296 --a------ d:\windows\system32\drivers\sptd.sys
2008-11-08 18:50 . 2008-11-08 19:15 23 --a------ d:\windows\popcinfot.dat
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ d:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ d:\windows\system32\QuickTime.qts
2008-11-01 13:39 . 2008-12-28 23:50 <DIR> d-------- d:\documents and settings\Anna\Application Data\uTorrent
2008-11-01 02:19 . 2008-11-01 02:19 <DIR> d-------- d:\documents and settings\Anna\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 09:28 --------- d-----w d:\documents and settings\All Users\Application Data\Soulseek
2008-12-19 14:23 --------- d-----w d:\program files\Ares
2008-12-04 08:44 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-03 15:38 --------- d-----w d:\program files\Ventrilo
2008-11-25 13:29 --------- d-----w d:\program files\Combined Community Codec Pack
2008-11-22 18:10 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-31 10:52 --------- d-----w d:\documents and settings\Administrator\Application Data\uTorrent
2008-10-29 23:39 --------- d-----w d:\program files\Soulseek
2008-10-29 23:36 --------- d-----w d:\program files\SoulseekNS
2008-05-05 20:14 34,048 ----a-w d:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 45,056 ----a-w d:\program files\opera\program\plugins\upd62int.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_ 1.22.00.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 07:41:48 102,400 ----a-r d:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2008-12-22 07:38:24 27,136 ----a-r d:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-12-22 07:40:35 86,016 ----a-r d:\windows\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe
+ 2008-08-28 23:18:58 87,336 ----a-w d:\windows\system32\dns-sd.exe
+ 2008-08-28 22:53:50 61,440 ----a-w d:\windows\system32\dnssd.dll
+ 2008-04-17 02:12:54 107,368 -c--a-w d:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 02:12:54 15,464 -c--a-w d:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2008-11-07 03:23:30 32,000 -c--a-w d:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
+ 2008-12-05 14:37:02 144,792 ----a-w d:\windows\system32\java.exe
+ 2008-12-05 14:37:02 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2008-12-05 14:37:02 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2008-12-30 03:05:38 16,384 ----atw d:\windows\temp\Perflib_Perfdata_6ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-25 490952]
"CurseClient"="d:\program files\Curse\CurseClient.exe" [2008-10-11 4789760]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-17 13529088]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-17 86016]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-04-02 36352]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-05-17 d:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-05-06 d:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^Deewoo.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\Deewoo.lnk
backup=d:\windows\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^DW_Start.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\DW_Start.lnk
backup=d:\windows\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Anna^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=d:\documents and settings\Anna\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=d:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
--a------ 2007-09-06 21:19 1426432 d:\program files\ASUS\Ai Suite\AiNap\AiNap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpu Level Up help]
--a------ 2007-09-11 20:32 880640 d:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPU Power Monitor]
--a------ 2007-10-16 21:35 626176 d:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch As Cmd Runner]
--a------ 2007-04-12 03:34 376832 d:\program files\ASUS\AI Direct Link\AsCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Direct Link]
--a------ 2007-08-20 21:42 1209856 d:\program files\ASUS\AI Direct Link\AsShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-04-11 01:52 16861184 d:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\games\\Steam\\steamapps\\teasr61@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\Curse\\CurseClient.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"d:\\Program Files\\SoulseekNS\\slsk.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{763e9e9a-44a3-11dd-bb76-df9d78834542}]
\Shell\Auto\command - H:\Start.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{794db6e1-a60c-11dd-bbd3-001e8cd29b2d}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - d:\documents and settings\Anna\Application Data\Mozilla\Firefox\Profiles\aydocz0q.default\
FF - prefs.js: browser.startup.homepage - www.bigpond.com
FF - component: d:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 14:05:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(860)
d:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\rundll32.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\wdfmgr.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
d:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
d:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-12-30 14:06:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 03:06:37
ComboFix2.txt 2008-12-29 16:38:24
ComboFix3.txt 2008-12-29 02:38:53
ComboFix4.txt 2008-12-05 14:22:21

Pre-Run: 63,536,193,536 bytes free
Post-Run: 63,484,444,672 bytes free

448







The computers actually been running fine since the first run of combofix, but always better to be safe than sorry :thumbsup:

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 30 December 2008 - 07:48 PM

Hello,

Very glad to know it, but that's a lot of stuff you had there, so I want to be sure we get everything, including the leftovers. So.......Let's do one more thing, please :

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 13 January 2009 - 03:23 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users