Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo / Virtumonde infection + Assoc. DLL errors.


  • This topic is locked This topic is locked
8 replies to this topic

#1 aocvirek

aocvirek

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:06:59 AM

Posted 24 April 2009 - 03:27 AM

As stated in the topic, I have a Vundo problem with what appears to be an associated symptom of SpyBot.S&D attempting to remove it unsuccessfully. If you have any questions about the computer or programs on it beyond the DDS logs, it might take me a little while to respond. This is an office computer, and I just started here, so I am not familiar with it yet, and only have access to it 4 days per week.

The Problem:
I noticed random popups when using Firefox and the WinAntiVirus ad. Recognized Vundo symptoms and ran BitDefender, but 3 deep scans found nothing. Ran SpyBot.S&D and found "Virtumonde" infection in 2 files. SpyBot.S&D attempted to fix, and appeared to succeed. However, on startup windows displayed a RUNDLL error as follows:
RUNDLL
Error loading C:\WINDOWS\System32\pebubolo.dll (and a second, identical window, with widamibo.dll as the file.)
Access is denied

After clearing the dialog boxes, BitDefender detected both files, and several others as Trojan.Vundo.GMM. However BitDdefender has not been able to remove the infection, only quarantine. Even quarantined, the RUNDLL errors persist, and are causing slowdowns and freezes on startup occasionally.

I attempted the VundoFix & VirtumondeBeGone (in safe mode) solutions listed in the Malware F.A.Q.'s but both tools find no infected files. (I also removed all of the files listed as infected from BitDefender's Quarantine, and had it place them back in their initial folders, in case that would interfere with detection. I also suspended BitDefender operation during the scan to prevent any further interference, but no cigar.)

Your assistance is greatly appreciated. Thank you in advance.

My DDS log...

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bruce at 2:20:12.56 on Fri 04/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.393 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bruce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6528
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6528
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {4284077b-145c-4109-9b15-a20ac426d550} - c:\windows\system32\nijonina.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SDTray] "c:\program files\spyware doctor\SDTrayApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [f8453103] rundll32.exe "c:\windows\system32\pebubolo.dll",b
mRun: [CPMfb76029f] Rundll32.exe "c:\windows\system32\widamibo.dll",a
mRun: [lehimifihe] Rundll32.exe "c:\windows\system32\vahuyayu.dll",s
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [CHotkey] zHotkey.exe
mRun: [Alcmtr] ALCMTR.EXE
dRun: [Power2GoExpress] NA
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
AppInit_DLLs: c:\windows\system32\kejowigi.dll c:\windows\system32\widamibo.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}: STS
LSA: Notification Packages = scecli c:\windows\system32\kejowigi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bruce\applic~1\mozilla\firefox\profiles\sah8bn8v.default\
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R1 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-4-16 39376]
R1 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-4-16 53840]
R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-4-16 57424]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-4-16 83024]
R2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-4-16 708688]
R2 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-4-16 1309264]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]

=============== Created Last 30 ================

2009-04-24 01:10 <DIR> --d----- C:\VundoFix Backups
2009-04-23 22:13 <DIR> --d--r-- c:\windows\system32\widamibo.dll
2009-04-23 22:10 <DIR> --d--r-- c:\windows\system32\pebubolo.dll
2009-04-23 19:13 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-04-22 01:27 <DIR> --d----- c:\windows\pss
2009-04-22 00:16 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-22 00:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-21 16:45 1,409,832 ---sh--- c:\windows\system32\olobubep.ini2
2009-04-21 16:44 1,409,819 ---sh--- c:\windows\system32\olobubep.tmp
2009-04-21 13:38 <DIR> --d----- C:\Ad Photos
2009-04-15 06:28 <DIR> --d----- C:\DeskPhotos

==================== Find3M ====================

2009-04-23 20:41 1,982 a--sh--- c:\windows\system32\muguvora.dll
2009-04-23 20:40 46,080 a--sh--- c:\windows\system32\tuledagi.exe
2009-04-23 20:40 1,982 a--sh--- c:\windows\system32\zunadahi.dll
2009-04-23 20:03 81,984 a------- c:\windows\system32\bdod.bin
2009-04-21 02:08 81,408 -------- c:\windows\system32\dowewelu.dll
2009-04-21 02:08 47,104 a--sh--- c:\windows\system32\siyokume.exe
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-01-30 08:49 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-03-21 16:04 28 a------- c:\docume~1\alluse~1\applic~1\TEST-acu.dat
2007-03-21 16:01 29 a------- c:\docume~1\alluse~1\applic~1\Owner-acu.dat
2007-03-21 15:15 519 a------- c:\docume~1\alluse~1\applic~1\TEST-acopts.dat
2007-03-21 15:15 49 a------- c:\docume~1\alluse~1\applic~1\TEST-acfw.dat
2007-03-21 14:48 186 ----h--- c:\docume~1\alluse~1\applic~1\Owner-acopts.dat

============= FINISH: 2:21:30.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 24 April 2009 - 05:10 AM

Hi,

I'll handle your log. As I am in training, all my fixes have to be checked.
I'll get back to you as soon as is possible. :thumbup2:

#3 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 25 April 2009 - 08:35 AM

Hi,

1. Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


#4 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.

Posted 25 April 2009 - 07:45 PM

MBAM Log from Step #1.

Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 3

4/25/2009 7:14:40 PM
mbam-log-2009-04-25 (19-14-40).txt

Scan type: Quick Scan
Objects scanned: 89824
Time elapsed: 12 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vahuyayu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4284077b-145c-4109-9b15-a20ac426d550} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4284077b-145c-4109-9b15-a20ac426d550} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8453103 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmfb76029f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lehimifihe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pebubolo.dll_old (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olobubep.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vahuyayu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kejowigi.dll_old (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nijonina.dll_old (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\widamibo.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pebubolo.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\reguligu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jijivafo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zunadahi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

RSIT Logs from Step 2.

info.txt logfile of random's system information tool 1.06 2009-04-25 19:27:55

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
AOL Coach Version 2.0(Build:20041026.5 en)-->C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL You've Got Pictures Screensaver-->C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
BigFix-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
BitDefender Antivirus 2009-->MsiExec.exe /X{5942839B-DA20-45D4-809C-D4FE5A45387E}
Browser Address Error Redirector-->regsvr32 /u /s "c:\windows\system32\BAE.dll"
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DVD Solution-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Eusing Free Registry Cleaner-->C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Google Photos Screensaver-->MsiExec.exe /X{A52415E5-CA1E-44DE-9EDC-D412F31D271C}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe" /uninstall
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
hp LaserJet 1000-->zuninst.exe
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Digital Image Starter Edition 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.52-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.20)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multimedia Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Napster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Norton Security Scan-->MsiExec.exe /I{E5431FB5-B3EB-46C8-8275-F6447131C98A}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PrintMaster® Gold 8.0-->C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\PRINTM~1\DeIsL1.isu" -c"C:\PROGRA~1\BRODER~1\PRINTM~1\psfinst.dll"
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RegCure 1.5.2.7-->C:\Program Files\RegCure\uninst.exe
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Serif DrawPlus 3.0-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Serif\dp30\DrawPlus_uninst.isu"
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.0-->C:\Program Files\Spyware Doctor\unins000.exe
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: BitDefender Antivirus (disabled)

======System event log======

Computer Name: RM
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

Record Number: 23647
Source Name: Service Control Manager
Time Written: 20090324225302.000000-300
Event Type: error
User:

Computer Name: RM
Event Code: 2511
Message: The server service was unable to recreate the share temp because the directory C:\temp no longer exists. Please run "net share temp /delete" to delete the share, or recreate the directory C:\temp.

Record Number: 23639
Source Name: Server
Time Written: 20090324225028.000000-300
Event Type: warning
User:

Computer Name: RM
Event Code: 7000
Message: The HTTP SSL service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Record Number: 23621
Source Name: Service Control Manager
Time Written: 20090324170755.000000-300
Event Type: error
User:

Computer Name: RM
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.

Record Number: 23620
Source Name: Service Control Manager
Time Written: 20090324170755.000000-300
Event Type: error
User:

Computer Name: RM
Event Code: 2511
Message: The server service was unable to recreate the share temp because the directory C:\temp no longer exists. Please run "net share temp /delete" to delete the share, or recreate the directory C:\temp.

Record Number: 23599
Source Name: Server
Time Written: 20090324170412.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: RM
Event Code: 2002
Message: The MOF file created for the Outlook service could not be loaded. The
error code returned by the MOF Compiler is contained in the Record Data.
Before the performance counters of this service can be collected by WMI
the MOF file will need to be loaded manually. Contact the vendor of this
service for additional information.

Record Number: 17
Source Name: LoadPerf
Time Written: 20060420153043.000000-300
Event Type: warning
User:

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 11
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 10
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 9
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RM
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 8
Source Name: WinMgmt
Time Written: 20060420144412.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Bruce at 2009-04-25 19:27:27
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 134 GB (91%) free of 148 GB
Total RAM: 895 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:51 PM, on 4/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Bruce\Desktop\RSIT.exe
C:\Program Files\trend micro\Bruce.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T6528
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4284077b-145c-4109-9b15-a20ac426d550} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [lehimifihe] Rundll32.exe "C:\WINDOWS\system32\vahuyayu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lehimifihe] Rundll32.exe "C:\WINDOWS\system32\vahuyayu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\kejowigi.dll c:\windows\system32\widamibo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7879 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\Norton Security Scan.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4284077b-145c-4109-9b15-a20ac426d550}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-11 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-03-11 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-02-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll [2009-04-01 95536]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-11 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-08-27 139264]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-09-08 180269]
"SDTray"=C:\Program Files\Spyware Doctor\SDTrayApp.exe [2007-06-12 1053264]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe [2009-04-15 778240]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe [2009-04-01 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-14 14820864]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"nwiz"=nwiz.exe /install []
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-09-14 69632]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-04-16 68856]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\kejowigi.dll c:\windows\system32\widamibo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\kejowigi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1138722192\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1138722192\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:IEXPLORE"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe:*:Enabled:PDVDServ"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:TeaTimer"
"C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe:*:Enabled:bdagent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50020e81-926d-11da-94a8-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


======List of files/folders created in the last 3 months======

2009-04-25 19:27:28 ----D---- C:\Program Files\trend micro
2009-04-25 19:27:27 ----D---- C:\rsit
2009-04-25 18:46:28 ----D---- C:\Documents and Settings\Bruce\Application Data\Malwarebytes
2009-04-25 18:46:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-25 18:46:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-24 01:53:21 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-24 01:10:19 ----D---- C:\VundoFix Backups
2009-04-24 01:10:19 ----A---- C:\VundoFix.txt
2009-04-23 22:13:54 ----D---- C:\WINDOWS\system32\widamibo.dll
2009-04-23 22:10:31 ----D---- C:\WINDOWS\system32\pebubolo.dll
2009-04-23 19:13:22 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2009-04-23 18:30:53 ----D---- C:\Program Files\RegCure
2009-04-22 01:27:59 ----D---- C:\WINDOWS\pss
2009-04-22 00:16:46 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-22 00:16:46 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 16:44:21 ----SH---- C:\WINDOWS\system32\olobubep.tmp
2009-04-21 13:38:50 ----D---- C:\Ad Photos
2009-04-20 15:53:02 ----D---- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2009-04-15 06:28:05 ----D---- C:\DeskPhotos
2009-04-14 22:25:21 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-14 22:25:10 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-14 22:22:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-14 22:22:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-14 22:22:29 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-14 22:22:10 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-14 20:43:05 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-01 23:25:10 ----D---- C:\Documents and Settings\Bruce\Application Data\Move Networks
2009-03-11 03:04:58 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:04:31 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-03-11 03:02:52 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-02-24 23:24:10 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-12 23:53:16 ----A---- C:\WINDOWS\bdagent.INI
2009-02-12 21:24:17 ----D---- C:\Documents and Settings\Bruce\Application Data\Help
2009-02-12 05:57:55 ----A---- C:\WINDOWS\system32\SierraNW.DLL
2009-02-12 05:57:54 ----A---- C:\WINDOWS\system32\SNWValid.dll
2009-02-12 05:50:45 ----A---- C:\WINDOWS\system32\WING32.DLL
2009-02-12 05:47:00 ----D---- C:\SIERRA
2009-02-12 04:31:33 ----A---- C:\WINDOWS\wininit.ini
2009-02-12 02:52:12 ----D---- C:\Program Files\7-Zip
2009-02-10 19:22:26 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-06 07:46:16 ----D---- C:\WINDOWS\Minidump
2009-01-30 23:32:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-01-30 23:31:41 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-01-30 09:00:24 ----D---- C:\WINDOWS\Prefetch
2009-01-30 08:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-30 08:55:15 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-01-30 08:55:02 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-30 08:54:50 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-01-30 08:54:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-01-30 08:54:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-01-30 08:54:14 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-01-30 08:53:57 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-01-30 08:53:46 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-01-30 08:53:34 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-01-30 08:53:17 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-01-30 08:53:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-01-30 08:52:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-01-30 08:52:39 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-01-30 08:52:29 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-01-30 08:52:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-01-30 08:52:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-01-30 08:51:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-01-30 08:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-01-30 08:51:22 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-01-30 08:51:06 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-01-30 08:44:39 ----D---- C:\WINDOWS\system32\scripting
2009-01-30 08:44:38 ----D---- C:\WINDOWS\l2schemas
2009-01-30 08:44:37 ----D---- C:\WINDOWS\system32\en
2009-01-30 08:44:36 ----D---- C:\WINDOWS\system32\bits
2009-01-30 08:42:05 ----D---- C:\WINDOWS\ServicePackFiles
2009-01-30 08:25:16 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-01-30 08:23:40 ----D---- C:\WINDOWS\EHome
2009-01-29 17:45:33 ----D---- C:\Documents and Settings\Bruce\Application Data\Google
2009-01-29 17:45:07 ----D---- C:\Documents and Settings\Bruce\Application Data\BitDefender
2009-01-29 11:08:58 ----D---- C:\Program Files\BitDefender
2009-01-29 11:08:58 ----D---- C:\Documents and Settings\All Users\Application Data\BitDefender
2009-01-29 11:06:09 ----D---- C:\Program Files\Common Files\BitDefender

======List of files/folders modified in the last 3 months======

2009-04-25 19:27:28 ----RD---- C:\Program Files
2009-04-25 19:21:41 ----D---- C:\Program Files\Mozilla Firefox
2009-04-25 19:21:26 ----D---- C:\WINDOWS\Temp
2009-04-25 19:17:08 ----D---- C:\WINDOWS\system32
2009-04-25 19:16:59 ----D---- C:\WINDOWS\system32\Lang
2009-04-25 19:16:38 ----SD---- C:\WINDOWS\Tasks
2009-04-25 19:16:01 ----D---- C:\WINDOWS\system32\drivers
2009-04-25 19:15:25 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-25 17:04:47 ----ASH---- C:\WINDOWS\system32\ligalijo.dll
2009-04-25 17:04:45 ----ASH---- C:\WINDOWS\system32\guzuyavu.exe
2009-04-25 17:03:34 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-04-25 06:39:30 ----D---- C:\Furoca Security
2009-04-24 20:40:21 ----ASH---- C:\WINDOWS\system32\lumuheze.exe
2009-04-24 20:40:20 ----ASH---- C:\WINDOWS\system32\limeruyi.dll
2009-04-24 08:40:15 ----ASH---- C:\WINDOWS\system32\beziseno.dll
2009-04-24 08:40:14 ----ASH---- C:\WINDOWS\system32\modufime.dll
2009-04-24 08:40:13 ----ASH---- C:\WINDOWS\system32\wogirubi.exe
2009-04-24 01:53:21 ----D---- C:\WINDOWS
2009-04-23 20:41:11 ----ASH---- C:\WINDOWS\system32\muguvora.dll
2009-04-23 20:40:58 ----ASH---- C:\WINDOWS\system32\tuledagi.exe
2009-04-22 04:10:14 ----D---- C:\Program Files\Spyware Doctor
2009-04-22 03:56:49 ----RASH---- C:\boot.ini
2009-04-22 03:56:49 ----A---- C:\WINDOWS\win.ini
2009-04-22 03:56:49 ----A---- C:\WINDOWS\system.ini
2009-04-21 23:09:26 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-21 15:08:41 ----N---- C:\WINDOWS\system32\widamibo.dll_old
2009-04-21 02:08:31 ----N---- C:\WINDOWS\system32\dowewelu.dll
2009-04-21 02:08:22 ----ASH---- C:\WINDOWS\system32\siyokume.exe
2009-04-20 13:16:01 ----HD---- C:\WINDOWS\inf
2009-04-14 22:45:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-14 22:41:30 ----D---- C:\WINDOWS\system32\wbem
2009-04-14 22:41:30 ----D---- C:\WINDOWS\AppPatch
2009-04-14 22:25:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-14 22:25:17 ----A---- C:\WINDOWS\imsins.BAK
2009-04-14 22:24:52 ----D---- C:\WINDOWS\system32\en-US
2009-04-14 22:24:51 ----D---- C:\Program Files\Internet Explorer
2009-04-14 22:24:33 ----D---- C:\WINDOWS\ie7updates
2009-04-14 22:22:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-21 09:06:58 ----A---- C:\WINDOWS\system32\kernel32.dll
2009-03-11 16:38:22 ----D---- C:\Program Files\Google
2009-03-11 16:38:20 ----SHD---- C:\WINDOWS\Installer
2009-03-11 16:35:51 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-03-11 03:04:33 ----D---- C:\WINDOWS\WinSxS
2009-03-06 09:22:18 ----A---- C:\WINDOWS\system32\pdh.dll
2009-03-02 19:18:25 ----A---- C:\WINDOWS\system32\wininet.dll
2009-02-20 13:09:38 ----N---- C:\WINDOWS\system32\webcheck.dll
2009-02-20 13:09:38 ----N---- C:\WINDOWS\system32\pngfilt.dll
2009-02-20 13:09:38 ----N---- C:\WINDOWS\system32\occache.dll
2009-02-20 13:09:38 ----N---- C:\WINDOWS\system32\mstime.dll
2009-02-20 13:09:38 ----N---- C:\WINDOWS\system32\msrating.dll
2009-02-20 13:09:38 ----N---- C:\WINDOWS\system32\mshtmled.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\url.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-02-20 13:09:37 ----N---- C:\WINDOWS\system32\jsproxy.dll
2009-02-20 13:09:37 ----N---- C:\WINDOWS\system32\iernonce.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-02-20 13:09:36 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2009-02-20 13:09:36 ----N---- C:\WINDOWS\system32\ieaksie.dll
2009-02-20 13:09:36 ----N---- C:\WINDOWS\system32\ieakeng.dll
2009-02-20 13:09:36 ----N---- C:\WINDOWS\system32\extmgr.dll
2009-02-20 13:09:36 ----N---- C:\WINDOWS\system32\dxtrans.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\icardie.dll
2009-02-20 13:09:35 ----N---- C:\WINDOWS\system32\dxtmsft.dll
2009-02-20 13:09:35 ----A---- C:\WINDOWS\system32\advpack.dll
2009-02-20 05:20:49 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2009-02-20 05:20:49 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-02-20 00:14:12 ----N---- C:\WINDOWS\system32\ieakui.dll
2009-02-12 05:57:55 ----D---- C:\WINDOWS\system
2009-02-09 07:10:49 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-02-09 07:10:48 ----A---- C:\WINDOWS\system32\rpcss.dll
2009-02-09 07:10:48 ----A---- C:\WINDOWS\system32\ntdll.dll
2009-02-09 07:10:48 ----A---- C:\WINDOWS\system32\advapi32.dll
2009-02-07 19:02:58 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2009-02-06 06:11:05 ----N---- C:\WINDOWS\system32\services.exe
2009-02-06 06:08:19 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2009-02-06 05:39:08 ----A---- C:\WINDOWS\system32\sc.exe
2009-02-03 14:59:07 ----A---- C:\WINDOWS\system32\secur32.dll
2009-01-30 09:04:37 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-30 09:00:31 ----A---- C:\WINDOWS\setuplog.txt
2009-01-30 08:59:49 ----D---- C:\WINDOWS\system32\Setup
2009-01-30 08:59:49 ----D---- C:\WINDOWS\ime
2009-01-30 08:59:47 ----RSD---- C:\WINDOWS\Fonts
2009-01-30 08:58:59 ----D---- C:\WINDOWS\security
2009-01-30 08:57:14 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-30 08:51:24 ----D---- C:\Program Files\Messenger
2009-01-30 08:45:11 ----D---- C:\WINDOWS\network diagnostic
2009-01-30 08:45:09 ----D---- C:\WINDOWS\Help
2009-01-30 08:44:40 ----D---- C:\WINDOWS\system32\usmt
2009-01-30 08:44:36 ----D---- C:\WINDOWS\PeerNet
2009-01-30 08:44:36 ----D---- C:\Program Files\Movie Maker
2009-01-30 08:41:58 ----D---- C:\WINDOWS\system32\Restore
2009-01-30 08:41:58 ----D---- C:\WINDOWS\system32\npp
2009-01-30 08:41:57 ----D---- C:\WINDOWS\msagent
2009-01-30 08:41:55 ----D---- C:\WINDOWS\srchasst
2009-01-30 08:41:54 ----D---- C:\Program Files\NetMeeting
2009-01-30 08:41:53 ----D---- C:\WINDOWS\system32\Com
2009-01-30 08:41:49 ----D---- C:\Program Files\Windows NT
2009-01-30 08:41:49 ----D---- C:\Program Files\Windows Media Player
2009-01-30 08:41:49 ----D---- C:\Program Files\Outlook Express
2009-01-30 08:41:44 ----D---- C:\Program Files\Common Files\System
2009-01-30 08:41:19 ----D---- C:\WINDOWS\system32\oobe
2009-01-30 08:34:42 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-29 11:06:09 ----D---- C:\Program Files\Common Files
2009-01-28 01:16:56 ----D---- C:\Documents and Settings\Bruce\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-11-10 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]
R1 IKFileFlt;File Filter Driver; C:\WINDOWS\system32\drivers\ikfileflt.sys [2007-05-23 39376]
R1 IKFileSec;File Security Driver; C:\WINDOWS\system32\drivers\ikfilesec.sys [2007-05-23 53840]
R1 IkSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-05-23 57424]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-05-23 83024]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 bdfm;BDFM; C:\WINDOWS\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-12-10 242184]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-03-17 1033600]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2005-03-17 221440]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-14 3856896]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-03-17 705280]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2009-04-01 415024]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-01-31 172032]
R2 sdAuxService;Spyware Doctor Auxiliary Service; C:\Program Files\Spyware Doctor\svcntaux.exe [2007-06-12 708688]
R2 sdCoreService;Spyware Doctor Service; C:\Program Files\Spyware Doctor\swdsvc.exe [2007-06-12 1309264]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe [2009-04-01 1626112]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 Arrakis3;BitDefender Arrakis Server; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

P.S.
After running MBAM and restarting as prompted, Spybot S&D diplayed TeaTimer windows prompting for permission to allow changes to the registry associated with the removal operations MBAM was performing. I turned off SB.S&D and selected "Allow" in the prompt window that was open. Hopefully it did not interfere with the disinfection process.

P.P.S.
Thanks for your continuing assistance. I hope your training is going well. Seeing as you are a "Senior Classman", I should wish you good luck toward your graduation.

Edited by aocvirek, 25 April 2009 - 08:19 PM.


#5 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 April 2009 - 11:16 AM

Hi,

1. Registry Cleaners

I notice the presence of RegCure and Eusing Free Registry Cleaner Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html

2. Download ComboFix from one of these locations:
Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply, together with a new RSIT logfile. Also tell me which problems you still have.

#6 aocvirek

aocvirek
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota - U.S.

Posted 29 April 2009 - 12:10 AM

1. Noted. I'll remove those once we are done here.

Status Update:

It looks like that did the trick. No DLL errors on reboot, no popups, no system instability when loading.

Unless something else catches your eye in these two logs, it looks clean.

Thanks for your assistance!

2. ComboFix Log


ComboFix 09-04-28.02 - Bruce 04/28/2009 23:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.505 [GMT -5:00]
Running from: c:\documents and settings\Bruce\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-26 00:27 . 2009-04-26 00:27 -------- d-----w c:\program files\trend micro
2009-04-26 00:27 . 2009-04-26 00:27 -------- d-----w C:\rsit
2009-04-25 23:46 . 2009-04-25 23:46 -------- d-----w c:\documents and settings\Bruce\Application Data\Malwarebytes
2009-04-25 23:46 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 23:46 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 23:46 . 2009-04-25 23:46 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 23:46 . 2009-04-25 23:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 06:10 . 2009-04-24 06:10 -------- d-----w C:\VundoFix Backups
2009-04-24 03:13 . 2009-04-24 03:14 -------- d-----w c:\windows\system32\widamibo.dll
2009-04-24 03:10 . 2009-04-24 03:11 -------- d-----w c:\windows\system32\pebubolo.dll
2009-04-24 00:13 . 2009-04-24 00:33 -------- d-----w c:\program files\Eusing Free Registry Cleaner
2009-04-23 23:30 . 2009-04-23 23:36 -------- d-----w c:\program files\RegCure
2009-04-22 05:16 . 2009-04-22 05:17 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 05:16 . 2009-04-22 07:08 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 18:38 . 2009-04-21 20:06 -------- d-----w C:\Ad Photos
2009-04-20 20:53 . 2009-04-22 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-04-15 11:28 . 2009-04-20 20:49 -------- d-----w C:\DeskPhotos
2009-04-15 01:43 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 01:43 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 01:43 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 01:43 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 01:43 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 01:43 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 01:43 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 01:43 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 01:43 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 01:43 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 01:43 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-02 04:25 . 2009-04-24 10:02 -------- d-----w c:\documents and settings\Bruce\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 03:25 . 2009-01-29 16:24 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-25 22:04 . 2009-01-25 22:04 1982 --sha-w c:\windows\system32\ligalijo.dll
2009-04-25 22:04 . 2009-01-25 22:04 46592 --sha-w c:\windows\system32\guzuyavu.exe
2009-04-25 01:40 . 2009-01-25 01:40 47616 --sha-w c:\windows\system32\lumuheze.exe
2009-04-25 01:40 . 2009-01-25 01:40 1982 --sha-w c:\windows\system32\limeruyi.dll
2009-04-24 13:40 . 2009-01-24 13:40 1982 --sha-w c:\windows\system32\beziseno.dll
2009-04-24 13:40 . 2009-01-24 13:40 1982 --sha-w c:\windows\system32\modufime.dll
2009-04-24 13:40 . 2009-01-24 13:40 46592 --sha-w c:\windows\system32\wogirubi.exe
2009-04-24 01:41 . 2009-01-24 01:41 1982 --sha-w c:\windows\system32\muguvora.dll
2009-04-24 01:40 . 2009-01-24 01:40 46080 --sha-w c:\windows\system32\tuledagi.exe
2009-04-22 09:10 . 2007-04-16 18:44 -------- d-----w c:\program files\Spyware Doctor
2009-04-21 21:44 . 2009-04-21 21:44 1409819 --sh--w c:\windows\system32\olobubep.tmp
2009-04-21 07:08 . 2009-01-21 07:08 47104 --sha-w c:\windows\system32\siyokume.exe
2009-03-11 21:38 . 2006-01-31 15:34 -------- d-----w c:\program files\Google
2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-26 16:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-26 16:11 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-12 10:45 . 2009-02-12 10:45 86456 ----a-w c:\documents and settings\Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-26 16:11 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-26 16:12 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-26 16:12 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-26 16:11 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-26 16:12 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-26 16:12 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-26 16:12 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-26 16:12 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-26 16:12 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-30 13:49 . 2004-08-26 18:03 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-01 22:42 . 2008-10-30 23:34 61440 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
2009-02-26 23:25 . 2006-04-20 20:13 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-26 23:25 . 2006-04-20 20:13 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-26 23:25 . 2007-04-19 12:21 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-26 23:25 . 2007-04-19 12:21 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-26 23:25 . 2006-04-20 20:13 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-21 07:02 . 2009-01-21 07:02 50688 --sha-w c:\windows\system32\gizezomi.dll.tmp
2009-01-21 07:02 . 2009-01-21 07:02 50688 --sha-w c:\windows\system32\jalezada.dll.tmp
2009-01-21 07:02 . 2009-01-21 07:02 50688 --sha-w c:\windows\system32\tolataga.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-16 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-08 180269]
"SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 1053264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-28 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\widamibo.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\BitDefender\\BitDefender 2009\\bdagent.exe"=

R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-06-12 708688]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50020e81-926d-11da-94a8-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-16 09:55]

2006-04-20 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2006-04-20 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2009-04-24 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 03:42]

2009-04-29 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-26 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4284077b-145c-4109-9b15-a20ac426d550} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6528
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\sah8bn8v.default\
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 23:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3464)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\swdsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-29 23:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 04:51

Pre-Run: 140,408,377,344 bytes free
Post-Run: 140,519,419,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

203 --- E O F --- 2009-04-15 03:25

2.1 New RSIT Log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Bruce at 2009-04-28 23:54:34
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 134 GB (91%) free of 148 GB
Total RAM: 895 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:42 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bruce\Desktop\RSIT.exe
C:\Program Files\trend micro\Bruce.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\widamibo.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7171 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\Norton Security Scan.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-11 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-03-11 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-02-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll [2009-04-01 95536]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-11 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-08-27 139264]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-09-08 180269]
"SDTray"=C:\Program Files\Spyware Doctor\SDTrayApp.exe [2007-06-12 1053264]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe [2009-04-28 778240]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe [2009-04-01 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-14 14820864]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"nwiz"=nwiz.exe /install []
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-04-16 68856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\windows\system32\widamibo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe:*:Enabled:PDVDServ"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:TeaTimer"
"C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe:*:Enabled:bdagent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50020e81-926d-11da-94a8-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


======List of files/folders created in the last 1 months======

2009-04-28 23:51:38 ----A---- C:\ComboFix.txt
2009-04-28 23:38:07 ----A---- C:\Boot.bak
2009-04-28 23:37:53 ----RASHD---- C:\cmdcons
2009-04-28 23:35:55 ----A---- C:\WINDOWS\zip.exe
2009-04-28 23:35:55 ----A---- C:\WINDOWS\vFind.exe
2009-04-28 23:35:55 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-28 23:35:55 ----A---- C:\WINDOWS\SWSC.exe
2009-04-28 23:35:55 ----A---- C:\WINDOWS\SWREG.exe
2009-04-28 23:35:55 ----A---- C:\WINDOWS\sed.exe
2009-04-28 23:35:55 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-28 23:35:55 ----A---- C:\WINDOWS\grep.exe
2009-04-28 23:35:43 ----D---- C:\WINDOWS\ERDNT
2009-04-28 23:35:32 ----D---- C:\Qoobox
2009-04-28 23:35:14 ----D---- C:\32788R22FWJFW
2009-04-25 19:27:28 ----D---- C:\Program Files\trend micro
2009-04-25 19:27:27 ----D---- C:\rsit
2009-04-25 18:46:28 ----D---- C:\Documents and Settings\Bruce\Application Data\Malwarebytes
2009-04-25 18:46:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-25 18:46:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-24 01:53:21 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-24 01:10:19 ----D---- C:\VundoFix Backups
2009-04-24 01:10:19 ----A---- C:\VundoFix.txt
2009-04-23 22:13:54 ----D---- C:\WINDOWS\system32\widamibo.dll
2009-04-23 22:10:31 ----D---- C:\WINDOWS\system32\pebubolo.dll
2009-04-23 19:13:22 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2009-04-23 18:30:53 ----D---- C:\Program Files\RegCure
2009-04-22 01:27:59 ----D---- C:\WINDOWS\pss
2009-04-22 00:16:46 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-22 00:16:46 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 16:44:21 ----SH---- C:\WINDOWS\system32\olobubep.tmp
2009-04-21 13:38:50 ----D---- C:\Ad Photos
2009-04-20 15:53:02 ----D---- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2009-04-15 06:28:05 ----D---- C:\DeskPhotos
2009-04-14 22:25:21 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-14 22:25:10 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-14 22:22:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-14 22:22:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-14 22:22:29 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-14 22:22:10 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-14 20:43:05 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-01 23:25:10 ----D---- C:\Documents and Settings\Bruce\Application Data\Move Networks

======List of files/folders modified in the last 1 months======

2009-04-28 23:51:44 ----D---- C:\WINDOWS\system32\drivers
2009-04-28 23:51:44 ----D---- C:\WINDOWS\system32
2009-04-28 23:51:40 ----D---- C:\WINDOWS\Temp
2009-04-28 23:51:40 ----D---- C:\WINDOWS
2009-04-28 23:47:14 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-28 23:44:49 ----A---- C:\WINDOWS\system.ini
2009-04-28 23:43:35 ----D---- C:\WINDOWS\system32\Lang
2009-04-28 23:43:31 ----SD---- C:\WINDOWS\Tasks
2009-04-28 23:41:59 ----A---- C:\WINDOWS\bdagent.INI
2009-04-28 23:41:49 ----D---- C:\WINDOWS\system32\config
2009-04-28 23:40:29 ----D---- C:\WINDOWS\AppPatch
2009-04-28 23:40:26 ----D---- C:\Program Files\Common Files
2009-04-28 23:38:09 ----RASH---- C:\boot.ini
2009-04-28 23:36:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-28 23:35:44 ----D---- C:\WINDOWS\Prefetch
2009-04-28 23:35:03 ----A---- C:\WINDOWS\win.ini
2009-04-28 23:24:04 ----D---- C:\Program Files\Mozilla Firefox
2009-04-28 22:25:25 ----D---- C:\Furoca Security
2009-04-28 20:06:42 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-04-25 19:27:28 ----RD---- C:\Program Files
2009-04-25 17:04:47 ----ASH---- C:\WINDOWS\system32\ligalijo.dll
2009-04-25 17:04:45 ----ASH---- C:\WINDOWS\system32\guzuyavu.exe
2009-04-24 20:40:21 ----ASH---- C:\WINDOWS\system32\lumuheze.exe
2009-04-24 20:40:20 ----ASH---- C:\WINDOWS\system32\limeruyi.dll
2009-04-24 08:40:15 ----ASH---- C:\WINDOWS\system32\beziseno.dll
2009-04-24 08:40:14 ----ASH---- C:\WINDOWS\system32\modufime.dll
2009-04-24 08:40:13 ----ASH---- C:\WINDOWS\system32\wogirubi.exe
2009-04-23 20:41:11 ----ASH---- C:\WINDOWS\system32\muguvora.dll
2009-04-23 20:40:58 ----ASH---- C:\WINDOWS\system32\tuledagi.exe
2009-04-22 04:10:14 ----D---- C:\Program Files\Spyware Doctor
2009-04-22 02:32:23 ----A---- C:\WINDOWS\wininit.ini
2009-04-22 02:02:23 ----D---- C:\WINDOWS\Minidump
2009-04-21 02:08:22 ----ASH---- C:\WINDOWS\system32\siyokume.exe
2009-04-20 13:16:01 ----HD---- C:\WINDOWS\inf
2009-04-14 22:45:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-14 22:41:30 ----D---- C:\WINDOWS\system32\wbem
2009-04-14 22:25:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-14 22:25:17 ----A---- C:\WINDOWS\imsins.BAK
2009-04-14 22:24:52 ----D---- C:\WINDOWS\system32\en-US
2009-04-14 22:24:51 ----D---- C:\Program Files\Internet Explorer
2009-04-14 22:24:33 ----D---- C:\WINDOWS\ie7updates
2009-04-14 22:22:51 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-11-10 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]
R1 IKFileFlt;File Filter Driver; C:\WINDOWS\system32\drivers\ikfileflt.sys [2007-05-23 39376]
R1 IKFileSec;File Security Driver; C:\WINDOWS\system32\drivers\ikfilesec.sys [2007-05-23 53840]
R1 IkSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-05-23 57424]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-05-23 83024]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 bdfm;BDFM; C:\WINDOWS\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-12-10 242184]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-03-17 1033600]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2005-03-17 221440]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-14 3856896]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-03-17 705280]
R4 catchme;catchme; \??\C:\DOCUME~1\Bruce\LOCALS~1\Temp\catchme.sys []
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2009-04-01 415024]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-01-31 172032]
R2 sdAuxService;Spyware Doctor Auxiliary Service; C:\Program Files\Spyware Doctor\svcntaux.exe [2007-06-12 708688]
R2 sdCoreService;Spyware Doctor Service; C:\Program Files\Spyware Doctor\swdsvc.exe [2007-06-12 1309264]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe [2009-04-01 1626112]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 Arrakis3;BitDefender Arrakis Server; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 April 2009 - 01:14 PM

Hi,

1. Open Notepad.
Copy this code into the Notepad-file:
File::
c:\windows\system32\Info.exe
c:\windows\system32\folder.htt
c:\windows\system32\widamibo.dll
c:\windows\system32\pebubolo.dll
c:\windows\system32\ligalijo.dll
c:\windows\system32\guzuyavu.exe
c:\windows\system32\lumuheze.exe
c:\windows\system32\limeruyi.dll
c:\windows\system32\beziseno.dll
c:\windows\system32\modufime.dll
c:\windows\system32\wogirubi.exe
c:\windows\system32\muguvora.dll
c:\windows\system32\tuledagi.exe
c:\windows\system32\olobubep.tmp
c:\windows\system32\siyokume.exe
c:\windows\system32\gizezomi.dll.tmp
c:\windows\system32\jalezada.dll.tmp
c:\windows\system32\tolataga.dll.tmp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50020e81-926d-11da-94a8-806d6172696f}]
Save the file as CFScript.txt

Now drag CFScript.txt into ComboFix.exe
Posted Image
ComboFix will restart.
When ComboFix is finished, this could be after a reboot, a logfile will open.
Post the contents of that logfile in your next reply.

2. Download Flash Disinfector to your desktop.
Run it from there, and follow the instructions given.

3. Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
If you need a tutorial, see here

4. Please post a new Hijackthislog, together with the ComboFix and Kaspersky logfiles.

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 05 May 2009 - 07:15 AM

Hi,

Are you still there? Do you have problems with performing the steps given? :thumbup2:
Please let me know.

#9 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 14 May 2009 - 08:54 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users