hijack this log....malware, malware, and more malware. [RESOLVED]

Hello, my name is Rorschach and I'll be helping you with your problems.


Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.




Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
• Under Additional Scans on the bottom right, check the box for Reg - Disabled MS Config Items.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply.

VundoFix V6.6.1

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:28:31 AM 11/15/2007

Listing files found while scanning....

C:\windows\system32\iiffgff.dll
C:\WINDOWS\system32\jogljkxy.dll
C:\WINDOWS\system32\ljjhijj.dll
C:\windows\system32\qommnli.dll
C:\windows\system32\ytxiathh.dll

Beginning removal...

Attempting to delete C:\windows\system32\iiffgff.dll
C:\windows\system32\iiffgff.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jogljkxy.dll
C:\WINDOWS\system32\jogljkxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjhijj.dll
C:\WINDOWS\system32\ljjhijj.dll Has been deleted!

Attempting to delete C:\windows\system32\qommnli.dll
C:\windows\system32\qommnli.dll Has been deleted!

Attempting to delete C:\windows\system32\ytxiathh.dll
C:\windows\system32\ytxiathh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:52:04 AM 11/15/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.6.1

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 12:25:52 PM 11/15/2007

Listing files found while scanning....

-----------------


ok...ran vundo fix. im going to run WinPFind3U.exe right now.

cool...heres the winpfind3u log:


WinPFind3 logfile created on: 11/15/2007 12:33:17 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\scott\Desktop\winpfind3u\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

511.53 Mb Total Physical Memory | 136.70 Mb Available Physical Memory | 26.72% Memory free
1.22 Gb Paging File | 0.89 Gb Available in Paging File | 72.83% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 21.59 Gb Free Space | 28.97% Space Free
Drive D: | 28.62 Gb Total Space | 1.37 Gb Free Space | 4.78% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: CARLOS
Current User Name: scott
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.0.2003051500 | Size = 217193 bytes | Modified Date = 5/15/2003 1:19:50 AM | Attr = ]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 9/6/2007 1:28:18 PM | Attr = ]
cdantsrv.exe -> %System32%\drivers\CDANTSRV.EXE -> C-Dilla Ltd [Ver = 3.27.000 | Size = 46080 bytes | Modified Date = 1/7/2003 5:28:44 PM | Attr = ]
ctnotify.exe -> %ProgramFiles%\Creative\ShareDLL\CTNotify.exe -> Creative Technology Ltd. [Ver = 2.00.02.0 | Size = 191488 bytes | Modified Date = 8/1/2001 2:00:00 AM | Attr = ]
ctsvccda.exe -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 1:01:00 AM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.9: 2007102514 | Size = 7649128 bytes | Modified Date = 11/4/2007 3:27:18 PM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 6:31:10 AM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 503608 bytes | Modified Date = 9/26/2007 2:41:56 PM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 267064 bytes | Modified Date = 9/26/2007 2:42:04 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 83608 bytes | Modified Date = 3/14/2007 2:43:44 AM | Attr = ]
lexbces.exe -> %System32%\LexBceS.exe -> Lexmark International, Inc. [Ver = 5,11,00,00 | Size = 278016 bytes | Modified Date = 8/16/2000 1:13:54 PM | Attr = ]
lexpps.exe -> %System32%\Lexpps.exe -> Lexmark International, Inc. [Ver = 5,11,00,00 | Size = 169984 bytes | Modified Date = 8/16/2000 1:10:26 PM | Attr = ]
mediadet.exe -> %ProgramFiles%\Creative\ShareDLL\Mediadet.exe -> Creative Technology Ltd. [Ver = 2.00.02.0 | Size = 166912 bytes | Modified Date = 8/1/2001 2:00:00 AM | Attr = ]
nintendowfcreg.exe -> %ProgramFiles%\WiFiConnector\NintendoWFCReg.exe -> [Ver = 1, 0, 0, 33 | Size = 1073152 bytes | Modified Date = 4/20/2006 11:45:34 AM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 77824 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr = ]
printray.exe -> %System32%\spool\drivers\w32x86\2\printray.exe -> Lexmark [Ver = 1, 0, 0, 5 | Size = 36864 bytes | Modified Date = 8/16/2000 1:08:16 PM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 10/22/2006 11:12:02 AM | Attr = ]
samjlpcv.exe -> %System32%\samjlpcv.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Modified Date = 11/14/2007 11:57:30 AM | Attr = ]
shell.exe -> %SystemRoot%\shell.exe -> [Ver = | Size = 9728 bytes | Modified Date = 3/12/2005 11:17:44 PM | Attr = ]
viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 112336 bytes | Modified Date = 1/4/2007 3:38:20 PM | Attr = ]
viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 3:38:10 PM | Attr = ]
vundofix.exe -> %UserDocuments%\downloads\VundoFix.exe -> Atribune.org [Ver = 6.06.0001 | Size = 117248 bytes | Modified Date = 11/15/2007 11:28:02 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 9/6/2007 1:28:18 PM | Attr = ]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [Ver = | Size = 32768 bytes | Modified Date = 7/15/2004 1:49:26 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 6:31:10 AM | Attr = ]
(C-DillaSrv) C-DillaSrv [Win32_Own | Auto | Running] -> %System32%\drivers\CDANTSRV.EXE -> C-Dilla Ltd [Ver = 3.27.000 | Size = 46080 bytes | Modified Date = 1/7/2003 5:28:44 PM | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 1:01:00 AM | Attr = ]
(DefWatch) DefWatch [Win32_Own | Auto | Stopped] -> %ProgramFiles%\NavNT\defwatch.exe -> File not found
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 1:56:48 AM | Attr = ]
(DomainService) DomainService [Win32_Own | Auto | Running] -> %System32%\samjlpcv.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Modified Date = 11/14/2007 11:57:30 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 503608 bytes | Modified Date = 9/26/2007 2:41:56 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LexBceS.exe -> Lexmark International, Inc. [Ver = 5,11,00,00 | Size = 278016 bytes | Modified Date = 8/16/2000 1:13:54 PM | Attr = ]
(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macromedia Shared\Service\Macromedia Licensing.exe -> [Ver = 2.42.000 | Size = 68096 bytes | Modified Date = 2/11/2005 1:19:00 PM | Attr = ]
(Norton AntiVirus Server) Norton AntiVirus Client [Win32_Own | Auto | Stopped] -> %ProgramFiles%\NavNT\rtvscan.exe -> File not found
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 77824 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr = ]
(Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 3:38:10 PM | Attr = ]
(wscsvc) Security Center [Win32_Shared | Auto | Stopped] -> C:\WINDOWS\%System32%\svchost.exe -> File not found

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
24941ad8 -> %System32%\yhyqsbje.dll [rundll32.exe "C:\WINDOWS\system32\yhyqsbje.dll",b] -> [Ver = | Size = 85056 bytes | Modified Date = 11/15/2007 12:29:38 PM | Attr = ]
avp -> %SystemRoot%\TEMP\win187.exe -> File not found
CTStartup -> %ProgramFiles%\Creative\Splash Screen\CTEaxSpl.exe -> Creative Technology Ltd. [Ver = 1, 1, 0, 0 | Size = 28672 bytes | Modified Date = 9/14/2001 11:10:00 AM | Attr = ]
Disc Detector -> %ProgramFiles%\Creative\ShareDLL\CTNotify.exe -> Creative Technology Ltd. [Ver = 2.00.02.0 | Size = 191488 bytes | Modified Date = 8/1/2001 2:00:00 AM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 267064 bytes | Modified Date = 9/26/2007 2:42:04 PM | Attr = ]
Jet Detection -> %ProgramFiles%\Creative\SBAudigy\Program\ADGJDet.exe -> [Ver = 1, 0, 0, 0 | Size = 28672 bytes | Modified Date = 4/20/2001 2:52:40 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 323584 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr = ]
POINTER -> point32.exe -> File not found
Printer -> %System32%\printer.exe -> [Ver = | Size = 9728 bytes | Modified Date = 3/20/2005 10:34:02 AM | Attr = ]
PrinTray -> %System32%\spool\drivers\w32x86\2\printray.exe -> Lexmark [Ver = 1, 0, 0, 5 | Size = 36864 bytes | Modified Date = 8/16/2000 1:08:16 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 6:24:52 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 83608 bytes | Modified Date = 3/14/2007 2:43:44 AM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 10/22/2006 11:12:02 AM | Attr = ]
UpdReg -> %SystemRoot%\Updreg.exe -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 5/11/2000 1:00:00 AM | Attr = ]
vptray -> %ProgramFiles%\NavNT\vptray.exe -> File not found
wpqpmnaj -> Files\wpqpmnaj\cnazyjwd.DLL [rundll32.exe "%ProgramFiles%\wpqpmnaj\cnazyjwd.dll",Init] -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 -> %ProgramFiles%\AIM6\aim6.exe -> AOL LLC [Ver = 1.4.9.1 | Size = 50528 bytes | Modified Date = 10/4/2007 9:20:56 AM | Attr = ]
Spoolsv -> %System32%\spoolvs.exe -> [Ver = | Size = 9728 bytes | Modified Date = 3/20/2005 10:34:02 AM | Attr = ]
Steam -> %ProgramFiles%\Steam\Steam.exe -> Valve Corporation [Ver = 1.0.0.0 | Size = 1271032 bytes | Modified Date = 11/14/2007 8:39:08 PM | Attr = ]
Taen -> %SystemRoot%\MBOLS~1\dllhost.exe -> File not found
Windows update loader -> %SystemRoot%\xpupdate.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Acrobat Assistant.lnk -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.0.2003051500 | Size = 217193 bytes | Modified Date = 5/15/2003 1:19:50 AM | Attr = ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr = ]
-> %AllUsersStartup%\autorun.exe -> [Ver = | Size = 9728 bytes | Modified Date = 3/20/2005 10:34:02 AM | Attr = ]
%AllUsersStartup%\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk -> %ProgramFiles%\WiFiConnector\NintendoWFCReg.exe -> [Ver = 1, 0, 0, 33 | Size = 1073152 bytes | Modified Date = 4/20/2006 11:45:34 AM | Attr = ]
< User Startup > -> C:\Documents and Settings\scott\Start Menu\Programs\Startup ->
-> %UserStartup%\findfast.exe -> [Ver = | Size = 9728 bytes | Modified Date = 3/20/2005 10:34:02 AM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
wbsys.dll -> %System32%\wbsys.dll -> Stardock.Net, Inc [Ver = 4, 0, 0, 0 | Size = 36864 bytes | Modified Date = 2/26/2003 9:27:44 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 6:29:58 AM | Attr = ]
{837B45D6-BF85-457D-AABF-6D2E7815F791} [HKLM] -> Reg Data - Key not found [] -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
xlibgfl254.dll -> xlibgfl254.dll -> File not found
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
C:\WINDOWS\shell.exe -> %SystemRoot%\shell.exe -> [Ver = | Size = 9728 bytes | Modified Date = 3/12/2005 11:17:44 PM | Attr = ]
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
NavLogon -> %System32%\NavLogon.dll -> [Ver = | Size = 45056 bytes | Modified Date = 9/24/2001 7:59:00 AM | Attr = ]
WBSrv -> %ProgramFiles%\Stardock\Object Desktop\WindowBlinds\WbSrv.dll -> Stardock [Ver = 5, 0, 0, 1 | Size = 176128 bytes | Modified Date = 12/6/2005 9:16:30 PM | Attr = ]
winrge32 -> %System32%\winrge32.dll -> [Ver = | Size = 20480 bytes | Modified Date = 11/11/2007 8:30:40 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> _
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoControlPanel -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > -> ->
-> Hosts file not found ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft...p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft...p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn...st/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Start Page -> http://www.microsoft...p...&ar=msnhome ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr = ]
{200D0AAD-71B1-51C9-DDB0-092BA4662A54} [HKLM] -> %ProgramFiles%\Rqdetcoa\fkywyibl.dll [Reg Data - Value does not exist] -> [Ver = | Size = 114688 bytes | Modified Date = 11/13/2007 1:22:14 AM | Attr = ]
{261C35B4-9283-6344-C5C0-005CF873D624} [HKLM] -> %ProgramFiles%\Gkclneuw\fxucqnrd.dll [Reg Data - Value does not exist] -> [Ver = | Size = 114688 bytes | Modified Date = 11/11/2007 8:30:54 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 3, 0, 12 | Size = 744960 bytes | Modified Date = 5/12/2004 12:03:00 AM | Attr = ]
{7432bac8-7048-4f5b-9c42-51fd3a2dff40} [HKLM] -> %System32%\nowcgfih.dll [Reg Data - Value does not exist] -> [Ver = | Size = 79936 bytes | Modified Date = 11/15/2007 12:29:44 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 3/14/2007 2:43:40 AM | Attr = ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{A7327C09-B521-4EDB-8509-7D2660C9EC98} [HKLM] -> %ProgramFiles%\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll [Viewpoint Toolbar BHO] -> Viewpoint Corporation [Ver = 3, 8, 0, 29 | Size = 38584 bytes | Modified Date = 2/24/2007 1:33:52 PM | Attr = ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [AcroIEToolbarHelper Class] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
{CBF5B0F7-FDD2-4C06-8A77-53BC1B7EB69B} [HKLM] -> %System32%\awtss.dll [Reg Data - Value does not exist] -> [Ver = | Size = 319584 bytes | Modified Date = 11/11/2007 8:36:16 PM | Attr = ]
{F10587E9-0E47-4CBE-84AE-7DD20B8684BB} [HKLM] -> %ProgramFiles%\E404 Helper\e404.v4.dll [e404mgr Class] -> [Ver = 1, 0, 0, 1 | Size = 17920 bytes | Modified Date = 11/12/2007 7:33:22 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} [HKLM] -> %CommonProgramFiles%\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll [Viewpoint Toolbar] -> Viewpoint Corporation [Ver = 3, 8, 0, 29 | Size = 333472 bytes | Modified Date = 2/24/2007 1:33:40 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
WebBrowser\\{11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\npjpi160_01.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 132760 bytes | Modified Date = 3/14/2007 2:43:42 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 3/14/2007 2:43:40 AM | Attr = ]
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.6089 | Size = 67112 bytes | Modified Date = 8/1/2006 2:35:36 PM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
{F4430FE8-2638-42e5-B849-800749B94EED} -> %ProgramFiles%\PartyPoker.net\partypokernet.exe [ButtonText: PartyPoker.net] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{19350190-B42D-4436-A09D-CCD6EBCBA02E} -> (1394 Net Adapter) ->
{2CC22759-1140-44F9-AB80-3B2BC8FBEC32} -> (Nintendo Wi-Fi USB Connector) ->
{8572293F-E8D6-4225-99D0-A1E9AD4E7518} -> (HP NetServer 10/100TX PCI LAN Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{01010E00-5E80-11D8-9E86-0007E96C65AE} -> SupportSoft SmartIssue - CodeBase = http://www.symantec....trl/tgctlsi.cab ->
{01012101-5E80-11D8-9E86-0007E96C65AE} -> SupportSoft Script Runner Class - CodeBase = http://www.symantec....trl/tgctlsr.cab ->
{14B87622-7E19-4EA8-93B3-97215F77A6BC} -> MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab ->
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} -> - CodeBase = http://www.symantec....rl/LSSupCtl.cab ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://gfx2.mail.liv...es/MSNPUpld.cab ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.micros...b?1122278741803 ->
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} -> WScanCtl Class - CodeBase = http://www3.ca.com/s...nfo/webscan.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -> MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab ->
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} -> Java Plug-in 1.5.0 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_02 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -> - CodeBase = http://www.symantec....rl/SymAData.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macr...ash/swflash.cab ->

[Registry - Additional Scans - Non-Microsoft Only]

[Files/Folders - Created Within 30 days]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Created Date = 11/11/2007 10:59:05 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536449024 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 11/15/2007 11:28:31 AM | Attr = ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ -> [Folder | Created Date = 11/15/2007 11:27:33 AM | Attr = H ]
Casino.ico -> %SystemRoot%\Casino.ico -> [Ver = | Size = 2238 bytes | Created Date = 11/14/2007 12:04:22 PM | Attr = ]
cookies.ini -> %SystemRoot%\cookies.ini -> [Ver = | Size = 366 bytes | Created Date = 11/12/2007 12:43:54 PM | Attr = ]
Free Online Dating.ico -> %SystemRoot%\Free Online Dating.ico -> [Ver = | Size = 1150 bytes | Created Date = 11/14/2007 12:04:21 PM | Attr = ]
mgrs.exe -> %SystemRoot%\mgrs.exe -> [Ver = | Size = 11776 bytes | Created Date = 11/14/2007 12:05:16 PM | Attr = ]
nview -> %SystemRoot%\nview -> [Folder | Created Date = 10/18/2007 4:02:10 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 11/4/2007 1:46:38 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 11/4/2007 1:46:38 PM | Attr = H ]
shell.exe -> %SystemRoot%\shell.exe -> [Ver = | Size = 9728 bytes | Created Date = 11/15/2007 12:33:41 AM | Attr = ]
Spyware Remover.ico -> %SystemRoot%\Spyware Remover.ico -> [Ver = | Size = 4846 bytes | Created Date = 11/14/2007 12:04:20 PM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 104 bytes | Created Date = 11/12/2007 8:00:29 AM | Attr = ]
??mbols -> %SystemRoot%\??mbols -> [Folder | Created Date = 7/5/1763 4:33:13 PM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 11/15/2007 12:44:35 AM | Attr = ]
agkrdsde.dll -> %System32%\agkrdsde.dll -> [Ver = | Size = 85056 bytes | Created Date = 11/14/2007 12:02:59 PM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 11/15/2007 12:45:16 AM | Attr = ]
awtss.dll -> %System32%\awtss.dll -> [Ver = | Size = 319584 bytes | Created Date = 11/11/2007 8:36:14 PM | Attr = ]
bfeguufo -> %System32%\bfeguufo -> [Folder | Created Date = 11/11/2007 8:30:58 PM | Attr = ]
dumphive.exe -> %System32%\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
edsdrkga.ini -> %System32%\edsdrkga.ini -> [Ver = | Size = 669330 bytes | Created Date = 11/14/2007 12:03:11 PM | Attr = HS]
ejbsqyhy.ini -> %System32%\ejbsqyhy.ini -> [Ver = | Size = 669390 bytes | Created Date = 11/15/2007 12:29:38 PM | Attr = HS]
fcijytnp.ini -> %System32%\fcijytnp.ini -> [Ver = | Size = 590425 bytes | Created Date = 11/12/2007 12:35:13 PM | Attr = HS]
fibagbia -> %System32%\fibagbia -> [Folder | Created Date = 11/12/2007 12:23:43 PM | Attr = ]
gtmxrine.dll -> %System32%\gtmxrine.dll -> [Ver = | Size = 79424 bytes | Created Date = 11/14/2007 12:03:06 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 11/15/2007 12:44:44 AM | Attr = ]
jogljkxy.dllbox -> %System32%\jogljkxy.dllbox -> [Ver = | Size = 20768 bytes | Created Date = 11/12/2007 12:24:22 PM | Attr = HS]
kohifqdl.exe -> %System32%\kohifqdl.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Created Date = 11/15/2007 12:24:03 PM | Attr = ]
nowcgfih.dll -> %System32%\nowcgfih.dll -> [Ver = | Size = 79936 bytes | Created Date = 11/15/2007 12:29:41 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 11/15/2007 12:44:41 AM | Attr = ]
pntyjicf.dll -> %System32%\pntyjicf.dll -> [Ver = | Size = 89664 bytes | Created Date = 11/12/2007 12:35:02 PM | Attr = ]
printer.exe -> %System32%\printer.exe -> [Ver = | Size = 9728 bytes | Created Date = 11/14/2007 12:11:02 PM | Attr = ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
samjlpcv.exe -> %System32%\samjlpcv.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Created Date = 11/14/2007 11:57:29 AM | Attr = ]
skwhaofo.exe -> %System32%\skwhaofo.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Created Date = 11/12/2007 12:26:02 PM | Attr = ]
spoolvs.exe -> %System32%\spoolvs.exe -> [Ver = | Size = 9728 bytes | Created Date = 11/14/2007 12:11:03 PM | Attr = ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
sstwa.bak1 -> %System32%\sstwa.bak1 -> [Ver = | Size = 6465 bytes | Created Date = 11/11/2007 8:40:55 PM | Attr = HS]
sstwa.bak2 -> %System32%\sstwa.bak2 -> [Ver = | Size = 441114 bytes | Created Date = 11/11/2007 10:43:10 PM | Attr = HS]
sstwa.ini -> %System32%\sstwa.ini -> [Ver = | Size = 437905 bytes | Created Date = 11/11/2007 8:36:33 PM | Attr = HS]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3168 bytes | Created Date = 11/12/2007 12:41:42 PM | Attr = ]
ttvwa.ini -> %System32%\ttvwa.ini -> [Ver = | Size = 353 bytes | Created Date = 11/11/2007 8:36:44 PM | Attr = HS]
twepokio.dll -> %System32%\twepokio.dll -> [Ver = | Size = 81472 bytes | Created Date = 11/12/2007 12:38:02 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 11/15/2007 12:44:44 AM | Attr = ]
VCCLSID.exe -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
winrge32.dll -> %System32%\winrge32.dll -> [Ver = | Size = 20480 bytes | Created Date = 11/11/2007 8:30:38 PM | Attr = ]
WS2Fix.exe -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
yhyqsbje.dll -> %System32%\yhyqsbje.dll -> [Ver = | Size = 85056 bytes | Created Date = 11/15/2007 12:29:37 PM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 11/15/2007 12:45:16 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 11/13/2007 1:37:08 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Modified Date = 11/11/2007 10:59:06 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 11/4/2007 3:31:16 PM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536449024 bytes | Modified Date = 11/15/2007 12:13:08 PM | Attr = HS]
IPH.PH -> %SystemDrive%\IPH.PH -> [Ver = | Size = 1973 bytes | Modified Date = 11/2/2007 2:24:02 AM | Attr = H ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 11/15/2007 1:17:04 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 11/15/2007 11:51:58 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 11/15/2007 12:23:30 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 11/15/2007 11:26:40 AM | Attr = H ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ -> [Folder | Modified Date = 11/15/2007 11:27:36 AM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 11/15/2007 12:13:10 PM | Attr = S]
Casino.ico -> %SystemRoot%\Casino.ico -> [Ver = | Size = 2238 bytes | Modified Date = 11/14/2007 12:04:24 PM | Attr = ]
cookies.ini -> %SystemRoot%\cookies.ini -> [Ver = | Size = 366 bytes | Modified Date = 11/14/2007 12:06:52 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 11/15/2007 12:44:40 AM | Attr = S]
Free Online Dating.ico -> %SystemRoot%\Free Online Dating.ico -> [Ver = | Size = 1150 bytes | Modified Date = 11/14/2007 12:04:22 PM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 10/18/2007 4:02:12 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 11/15/2007 11:27:48 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 11/4/2007 3:27:58 PM | Attr = HS]
mgrs.exe -> %SystemRoot%\mgrs.exe -> [Ver = | Size = 11776 bytes | Modified Date = 11/14/2007 12:05:18 PM | Attr = ]
nview -> %SystemRoot%\nview -> [Folder | Modified Date = 10/18/2007 4:02:12 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 11/15/2007 12:30:28 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 11/4/2007 1:46:40 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 11/15/2007 12:24:08 PM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 11/11/2007 10:40:30 PM | Attr = ]
Spyware Remover.ico -> %SystemRoot%\Spyware Remover.ico -> [Ver = | Size = 4846 bytes | Modified Date = 11/14/2007 12:04:22 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 11/15/2007 12:33:28 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 11/4/2007 1:38:10 PM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 11/15/2007 12:26:04 PM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 104 bytes | Modified Date = 11/12/2007 8:00:30 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 11/4/2007 1:40:34 PM | Attr = ]
??mbols -> %SystemRoot%\??mbols -> [Folder | Modified Date = 11/14/2007 8:35:52 PM | Attr = ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [Ver = | Size = 284 bytes | Modified Date = 11/7/2007 5:14:02 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 11/15/2007 12:13:20 PM | Attr = H ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 11/15/2007 12:45:48 AM | Attr = ]
agkrdsde.dll -> %System32%\agkrdsde.dll -> [Ver = | Size = 85056 bytes | Modified Date = 11/14/2007 12:03:00 PM | Attr = ]
awtss.dll -> %System32%\awtss.dll -> [Ver = | Size = 319584 bytes | Modified Date = 11/11/2007 8:36:16 PM | Attr = ]
bfeguufo -> %System32%\bfeguufo -> [Folder | Modified Date = 11/11/2007 10:40:16 PM | Attr = ]
BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 23196 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 23196 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
BMXState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 18560 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 18560 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 11/15/2007 11:26:34 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 11/11/2007 10:40:46 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 11/15/2007 11:49:36 AM | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 11/13/2007 1:37:10 AM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 11/4/2007 1:40:52 PM | Attr = ]
DVCState-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> %System32%\DVCState-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> [Ver = | Size = 24 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
DVCStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> %System32%\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> [Ver = | Size = 24 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
edsdrkga.ini -> %System32%\edsdrkga.ini -> [Ver = | Size = 669330 bytes | Modified Date = 11/15/2007 12:24:24 PM | Attr = HS]
ejbsqyhy.ini -> %System32%\ejbsqyhy.ini -> [Ver = | Size = 669390 bytes | Modified Date = 11/15/2007 12:29:56 PM | Attr = HS]
fcijytnp.ini -> %System32%\fcijytnp.ini -> [Ver = | Size = 590425 bytes | Modified Date = 11/12/2007 1:01:10 PM | Attr = HS]
fibagbia -> %System32%\fibagbia -> [Folder | Modified Date = 11/12/2007 12:23:52 PM | Attr = ]
gtmxrine.dll -> %System32%\gtmxrine.dll -> [Ver = | Size = 79424 bytes | Modified Date = 11/14/2007 12:03:08 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 11/15/2007 12:44:46 AM | Attr = ]
jogljkxy.dllbox -> %System32%\jogljkxy.dllbox -> [Ver = | Size = 20768 bytes | Modified Date = 11/15/2007 11:48:28 AM | Attr = HS]
kohifqdl.exe -> %System32%\kohifqdl.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Modified Date = 11/15/2007 12:24:04 PM | Attr = ]
nowcgfih.dll -> %System32%\nowcgfih.dll -> [Ver = | Size = 79936 bytes | Modified Date = 11/15/2007 12:29:44 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 11/15/2007 12:44:46 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 52968 bytes | Modified Date = 11/4/2007 3:32:46 PM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 380680 bytes | Modified Date = 11/4/2007 3:32:46 PM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 439552 bytes | Modified Date = 11/4/2007 3:32:46 PM | Attr = ]
pntyjicf.dll -> %System32%\pntyjicf.dll -> [Ver = | Size = 89664 bytes | Modified Date = 11/12/2007 12:35:04 PM | Attr = ]
samjlpcv.exe -> %System32%\samjlpcv.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Modified Date = 11/14/2007 11:57:30 AM | Attr = ]
settings.sfm -> %System32%\settings.sfm -> [Ver = | Size = 1072 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
settingsbkup.sfm -> %System32%\settingsbkup.sfm -> [Ver = | Size = 1072 bytes | Modified Date = 11/15/2007 11:49:08 AM | Attr = ]
skwhaofo.exe -> %System32%\skwhaofo.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Modified Date = 11/12/2007 12:26:06 PM | Attr = ]
sstwa.bak1 -> %System32%\sstwa.bak1 -> [Ver = | Size = 6465 bytes | Modified Date = 11/11/2007 8:40:56 PM | Attr = HS]
sstwa.bak2 -> %System32%\sstwa.bak2 -> [Ver = | Size = 441114 bytes | Modified Date = 11/15/2007 12:24:02 PM | Attr = HS]
sstwa.ini -> %System32%\sstwa.ini -> [Ver = | Size = 437905 bytes | Modified Date = 11/15/2007 12:33:28 PM | Attr = HS]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3168 bytes | Modified Date = 11/13/2007 1:08:14 AM | Attr = ]
ttvwa.ini -> %System32%\ttvwa.ini -> [Ver = | Size = 353 bytes | Modified Date = 11/11/2007 8:36:46 PM | Attr = HS]
twepokio.dll -> %System32%\twepokio.dll -> [Ver = | Size = 81472 bytes | Modified Date = 11/12/2007 12:38:04 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 11/15/2007 12:44:46 AM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 11/11/2007 10:40:30 PM | Attr = ]
winrge32.dll -> %System32%\winrge32.dll -> [Ver = | Size = 20480 bytes | Modified Date = 11/11/2007 8:30:40 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 11/15/2007 12:23:44 PM | Attr = ]
yhyqsbje.dll -> %System32%\yhyqsbje.dll -> [Ver = | Size = 85056 bytes | Modified Date = 11/15/2007 12:29:38 PM | Attr = ]
_PersonalityVert1.WB4 -> %System32%\_PersonalityVert1.WB4 -> [Ver = | Size = 274 bytes | Modified Date = 10/23/2007 5:35:18 PM | Attr = ]
_PersonalityVert2.WB4 -> %System32%\_PersonalityVert2.WB4 -> [Ver = | Size = 274 bytes | Modified Date = 10/23/2007 5:35:18 PM | Attr = ]
hosts.ics -> %System32%\drivers\etc\hosts.ics -> [Ver = | Size = 430 bytes | Modified Date = 11/15/2007 12:13:46 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
PEC2 , PECompact2 , -> %SystemRoot%\mgrs.exe -> [Ver = | Size = 11776 bytes | Modified Date = 11/14/2007 12:05:18 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 12/31/2002 6:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.6.1.4 | Size = 740442 bytes | Modified Date = 5/31/2007 12:44:56 AM | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 10/22/2006 11:12:08 AM | Attr = ]
Thawte Consulting , -> %System32%\SmartUI2.ocx -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 2.00.6553 | Size = 870152 bytes | Modified Date = 3/15/2007 11:22:38 AM | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 4:49:30 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Modified Date = 8/29/2006 6:43:54 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Modified Date = 1/9/2006 9:36:06 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Modified Date = 12/1/2006 5:20:34 AM | Attr = ]
UPX! , UPX0 , -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Modified Date = 9/5/2007 11:22:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 12/31/2002 6:00:00 AM | Attr = ]
PEC2 , -> %System32%\winrge32.dll -> [Ver = | Size = 20480 bytes | Modified Date = 11/11/2007 8:30:40 PM | Attr = ]
UPX! , UPX0 , -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Modified Date = 10/3/2007 11:36:46 PM | Attr = ]
Thawte Consulting , -> %System32%\XceedCry.dll -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 1.1.6461.0 | Size = 526184 bytes | Modified Date = 3/15/2007 11:19:58 AM | Attr = ]
Thawte Consulting , -> %System32%\XceedZip.dll -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 6.0.6621.0 | Size = 497496 bytes | Modified Date = 3/15/2007 11:23:16 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 12/31/2002 6:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 11:41:38 PM | Attr = ]

< End of report >

Edited by karl_hungus, 15 November 2007 - 12:47 PM.

Hello

Delete SmitfraudFix.exe if you still have it on your PC

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


Please download SmitfraudFix (by S!Ri) to your Desktop.


Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.





Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall





Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Processes - Non-Microsoft Only]
YY -> samjlpcv.exe -> %System32%\samjlpcv.exe
YY -> shell.exe -> %SystemRoot%\shell.exe
[Win32 Services - Non-Microsoft Only]
YY -> (DomainService) DomainService [Win32_Own | Auto | Running] -> %System32%\samjlpcv.exe
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> 24941ad8 -> %System32%\yhyqsbje.dll [rundll32.exe "C:\WINDOWS\system32\yhyqsbje.dll",b]
YN -> avp -> %SystemRoot%\TEMP\win187.exe
YN -> POINTER -> point32.exe
YY -> Printer -> %System32%\printer.exe
YN -> vptray -> %ProgramFiles%\NavNT\vptray.exe
YN -> wpqpmnaj -> Files\wpqpmnaj\cnazyjwd.DLL [rundll32.exe "%ProgramFiles%\wpqpmnaj\cnazyjwd.dll",Init]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Spoolsv -> %System32%\spoolvs.exe
YN -> Taen -> %SystemRoot%\MBOLS~1\dllhost.exe
YN -> Windows update loader -> %SystemRoot%\xpupdate.exe
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
YY -> -> %AllUsersStartup%\autorun.exe
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {837B45D6-BF85-457D-AABF-6D2E7815F791} [HKLM] -> Reg Data - Key not found []
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
YN -> xlibgfl254.dll -> xlibgfl254.dll
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YY -> C:\WINDOWS\shell.exe -> %SystemRoot%\shell.exe
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> winrge32 -> %System32%\winrge32.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {200D0AAD-71B1-51C9-DDB0-092BA4662A54} [HKLM] -> %ProgramFiles%\Rqdetcoa\fkywyibl.dll [Reg Data - Value does not exist]
YY -> {261C35B4-9283-6344-C5C0-005CF873D624} [HKLM] -> %ProgramFiles%\Gkclneuw\fxucqnrd.dll [Reg Data - Value does not exist]
YY -> {7432bac8-7048-4f5b-9c42-51fd3a2dff40} [HKLM] -> %System32%\nowcgfih.dll [Reg Data - Value does not exist]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YY -> {CBF5B0F7-FDD2-4C06-8A77-53BC1B7EB69B} [HKLM] -> %System32%\awtss.dll [Reg Data - Value does not exist]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {F4430FE8-2638-42e5-B849-800749B94EED} -> %ProgramFiles%\PartyPoker.net\partypokernet.exe [ButtonText: PartyPoker.net]
[Files/Folders - Created Within 30 days]
NY -> Free Online Dating.ico -> %SystemRoot%\Free Online Dating.ico
NY -> mgrs.exe -> %SystemRoot%\mgrs.exe
NY -> shell.exe -> %SystemRoot%\shell.exe
NY -> Spyware Remover.ico -> %SystemRoot%\Spyware Remover.ico
NY -> wininit.ini -> %SystemRoot%\wininit.ini
NY -> ??mbols -> %SystemRoot%\??mbols
NY -> agkrdsde.dll -> %System32%\agkrdsde.dll
NY -> awtss.dll -> %System32%\awtss.dll
NY -> bfeguufo -> %System32%\bfeguufo
NY -> edsdrkga.ini -> %System32%\edsdrkga.ini
NY -> ejbsqyhy.ini -> %System32%\ejbsqyhy.ini
NY -> fcijytnp.ini -> %System32%\fcijytnp.ini
NY -> fibagbia -> %System32%\fibagbia
NY -> gtmxrine.dll -> %System32%\gtmxrine.dll
NY -> jogljkxy.dllbox -> %System32%\jogljkxy.dllbox
NY -> kohifqdl.exe -> %System32%\kohifqdl.exe
NY -> nowcgfih.dll -> %System32%\nowcgfih.dll
NY -> pntyjicf.dll -> %System32%\pntyjicf.dll
NY -> printer.exe -> %System32%\printer.exe
NY -> samjlpcv.exe -> %System32%\samjlpcv.exe
NY -> skwhaofo.exe -> %System32%\skwhaofo.exe
NY -> spoolvs.exe -> %System32%\spoolvs.exe
NY -> sstwa.bak1 -> %System32%\sstwa.bak1
NY -> sstwa.bak2 -> %System32%\sstwa.bak2
NY -> sstwa.ini -> %System32%\sstwa.ini
NY -> ttvwa.ini -> %System32%\ttvwa.ini
NY -> twepokio.dll -> %System32%\twepokio.dll
NY -> winrge32.dll -> %System32%\winrge32.dll
NY -> yhyqsbje.dll -> %System32%\yhyqsbje.dll
[Files/Folders - Modified Within 30 days]
NY -> Casino.ico -> %SystemRoot%\Casino.ico
NY -> Free Online Dating.ico -> %SystemRoot%\Free Online Dating.ico
NY -> mgrs.exe -> %SystemRoot%\mgrs.exe
NY -> Spyware Remover.ico -> %SystemRoot%\Spyware Remover.ico
NY -> ??mbols -> %SystemRoot%\??mbols
NY -> agkrdsde.dll -> %System32%\agkrdsde.dll
NY -> awtss.dll -> %System32%\awtss.dll
NY -> bfeguufo -> %System32%\bfeguufo
NY -> edsdrkga.ini -> %System32%\edsdrkga.ini
NY -> ejbsqyhy.ini -> %System32%\ejbsqyhy.ini
NY -> fcijytnp.ini -> %System32%\fcijytnp.ini
NY -> fibagbia -> %System32%\fibagbia
NY -> gtmxrine.dll -> %System32%\gtmxrine.dll
NY -> jogljkxy.dllbox -> %System32%\jogljkxy.dllbox
NY -> kohifqdl.exe -> %System32%\kohifqdl.exe
NY -> nowcgfih.dll -> %System32%\nowcgfih.dll
NY -> pntyjicf.dll -> %System32%\pntyjicf.dll
NY -> samjlpcv.exe -> %System32%\samjlpcv.exe
NY -> skwhaofo.exe -> %System32%\skwhaofo.exe
NY -> sstwa.bak1 -> %System32%\sstwa.bak1
NY -> sstwa.bak2 -> %System32%\sstwa.bak2
NY -> sstwa.ini -> %System32%\sstwa.ini
NY -> ttvwa.ini -> %System32%\ttvwa.ini
NY -> twepokio.dll -> %System32%\twepokio.dll
NY -> winrge32.dll -> %System32%\winrge32.dll
NY -> yhyqsbje.dll -> %System32%\yhyqsbje.dll
[File String Scan - Non-Microsoft Only]
NY -> PEC2 , PECompact2 , -> %SystemRoot%\mgrs.exe
NY -> PEC2 , -> %System32%\winrge32.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan(attach the WinPFind3 scan report).

I will review the information when it comes back in.

alright, followed your instructions, with only one hiccup. when running winPFind3U (the fix) i accidentally clicked my mouse, mainly because, well, im an idiot. it had been running for a bit (a couple of minutes), when i mouse clicked, so i let it run for well over an hour...and nothing. you stated that it should only take a very short time, so i restarted (hopefully not a bad move), and tried to run the fix again. left it for an hour or so again, and it never finished. restarted again, and things definitely seem better....im not sure if its completely gone yet, but definitely better.

therefore, i have no log from winPFind3U. here are the smitfraud and combofix logs....

question: is guard.exe a normal windows process, does it get used by malware, or is it just malware? just curious, its still hanging out in task manager.

also, is there any way i can make a donation to you guys using anything other than paypal...im feeling generous already, and thanks again for your help. you guys are awesome.

smitfraud log:

SmitFraudFix v2.252

Scan done at 0:17:26.93, Fri 11/16/2007
Run from C:\Documents and Settings\scott\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\mgrs.exe Deleted
C:\WINDOWS\shell.exe Deleted
C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\spoolvs.exe Deleted
C:\DOCUME~1\scott\STARTM~1\Programs\Startup\findfast.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8572293F-E8D6-4225-99D0-A1E9AD4E7518}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8572293F-E8D6-4225-99D0-A1E9AD4E7518}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8572293F-E8D6-4225-99D0-A1E9AD4E7518}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End






combofix log:

ComboFix 07-11-08.3 - scott 2007-11-16 0:26:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.218 [GMT -6:00]
Running from: C:\Documents and Settings\scott\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\abu\Desktop\Live Safety Center.lnk
C:\Documents and Settings\abu\Desktop\Online Security Guide.lnk
C:\Documents and Settings\abu\Favorites\Error Cleaner.url
C:\Documents and Settings\abu\Favorites\Online Security Guide.lnk
C:\Documents and Settings\abu\Favorites\Privacy Protector.url
C:\Documents and Settings\abu\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Application Data.\jknspqxo.dll
C:\Documents and Settings\All Users\Application Data.\rafsjavm.dll
C:\Documents and Settings\All Users\Application Data.\vqzsfatu.dll
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\scott\Desktop\Live Safety Center.lnk
C:\Documents and Settings\scott\Desktop\Online Security Guide.lnk
C:\Documents and Settings\scott\Favorites\Online Security Guide.lnk
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mbols~1
C:\WINDOWS\mbols~1\??mbols\
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\bfeguufo
C:\WINDOWS\system32\bfeguufo\bfeguufo1.exe
C:\WINDOWS\system32\bfeguufo\bfeguufo2.exe
C:\WINDOWS\system32\bfeguufo\bfeguufo3.exe
C:\WINDOWS\system32\bfeguufo\bg1.gif
C:\WINDOWS\system32\bfeguufo\bgtop.gif
C:\WINDOWS\system32\bfeguufo\bottom1.gif
C:\WINDOWS\system32\bfeguufo\essentials.gif
C:\WINDOWS\system32\bfeguufo\icon1.ico
C:\WINDOWS\system32\bfeguufo\install1.gif
C:\WINDOWS\system32\bfeguufo\left1.gif
C:\WINDOWS\system32\bfeguufo\li.gif
C:\WINDOWS\system32\bfeguufo\logo.gif
C:\WINDOWS\system32\bfeguufo\main.htm
C:\WINDOWS\system32\bfeguufo\mainframe.htm
C:\WINDOWS\system32\bfeguufo\reinstall1.gif
C:\WINDOWS\system32\bfeguufo\right1.gif
C:\WINDOWS\system32\bfeguufo\s1.htm
C:\WINDOWS\system32\bfeguufo\s2.htm
C:\WINDOWS\system32\bfeguufo\s3.htm
C:\WINDOWS\system32\bfeguufo\SMTop1.gif
C:\WINDOWS\system32\bfeguufo\SMTop2.gif
C:\WINDOWS\system32\bfeguufo\SMTop3.gif
C:\WINDOWS\system32\bfeguufo\SMTop4.gif
C:\WINDOWS\system32\bfeguufo\soft1_off.gif
C:\WINDOWS\system32\bfeguufo\soft1_off_ext.gif
C:\WINDOWS\system32\bfeguufo\soft1_on.gif
C:\WINDOWS\system32\bfeguufo\soft1_on_ext.gif
C:\WINDOWS\system32\bfeguufo\soft2_off.gif
C:\WINDOWS\system32\bfeguufo\soft2_off_ext.gif
C:\WINDOWS\system32\bfeguufo\soft2_on.gif
C:\WINDOWS\system32\bfeguufo\soft2_on_ext.gif
C:\WINDOWS\system32\bfeguufo\soft3_off.gif
C:\WINDOWS\system32\bfeguufo\soft3_off_ext.gif
C:\WINDOWS\system32\bfeguufo\soft3_on.gif
C:\WINDOWS\system32\bfeguufo\soft3_on_ext.gif
C:\WINDOWS\system32\bfeguufo\softbottom_off.gif
C:\WINDOWS\system32\bfeguufo\softbottom_on.gif
C:\WINDOWS\system32\bfeguufo\softleft_off.gif
C:\WINDOWS\system32\bfeguufo\softleft_on.gif
C:\WINDOWS\system32\bfeguufo\top1.gif
C:\WINDOWS\system32\bfeguufo\top2.gif
C:\WINDOWS\system32\bfeguufo\turnoff1.gif
C:\WINDOWS\system32\bfeguufo\turnon1.gif
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\system32\jogljkxy.dllbox
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\sstwa.bak2
C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.tmp
C:\WINDOWS\system32\winrge32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 00:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 12:29 85,056 --a------ C:\WINDOWS\system32\yhyqsbje.dll
2007-11-15 12:29 79,936 --a------ C:\WINDOWS\system32\nowcgfih.dll
2007-11-15 12:24 71,232 --a------ C:\WINDOWS\system32\kohifqdl.exe
2007-11-15 11:28 <DIR> d-------- C:\VundoFix Backups
2007-11-15 01:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 00:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-14 12:19 <DIR> d-------- C:\Documents and Settings\scott\Application Data\ultra
2007-11-14 12:19 161,344 --a------ C:\Documents and Settings\scott\Application Data\trant.exe
2007-11-14 12:03 79,424 --a------ C:\WINDOWS\system32\gtmxrine.dll
2007-11-14 12:02 <DIR> d-------- C:\Program Files\wpqpmnaj
2007-11-14 11:57 71,232 --a------ C:\WINDOWS\system32\samjlpcv.exe
2007-11-13 01:37 <DIR> d-------- C:\Documents and Settings\scott\Application Data\Grisoft
2007-11-13 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 01:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-13 01:22 <DIR> d-------- C:\Program Files\Rqdetcoa
2007-11-13 01:06 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-13 01:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-13 01:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-13 01:06 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-13 01:06 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-12 12:41 3,080 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-12 12:38 81,472 --a------ C:\WINDOWS\system32\twepokio.dll
2007-11-12 12:35 89,664 --a------ C:\WINDOWS\system32\pntyjicf.dll
2007-11-12 12:26 71,232 --a------ C:\WINDOWS\system32\skwhaofo.exe
2007-11-12 12:23 <DIR> d-------- C:\Program Files\Gxhczchj
2007-11-11 20:33 <DIR> d-------- C:\Program Files\E404 Helper
2007-11-11 20:30 <DIR> d-------- C:\Program Files\Gkclneuw
2007-11-11 20:30 <DIR> d-------- C:\Program Files\dstqvuty
2007-11-04 13:45 <DIR> d-------- C:\Program Files\iTunes
2007-11-04 13:42 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 13:40 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-04 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-18 04:02 <DIR> d-------- C:\WINDOWS\nview
2007-10-18 03:51 <DIR> d-------- C:\Documents and Settings\scott\Application Data\SystemRequirementsLab
2007-10-18 03:12 <DIR> d-------- C:\Program Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 19:45 --------- d-----w C:\Program Files\iPod
2007-11-04 19:38 --------- d-----w C:\Program Files\Apple Software Update
2007-10-27 07:11 --------- d-----w C:\Program Files\AIM6
2007-10-27 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-30 22:14 389 ----a-w C:\Documents and Settings\scott\rockconfig.dat
2007-09-30 22:00 3,681 ----a-w C:\Documents and Settings\scott\rocklist.dat
2007-09-24 20:58 --------- d-----w C:\Program Files\Xvid
2007-01-20 18:40 370,312 ----a-w C:\Documents and Settings\scott\jre-6-windows-i586-iftw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
2007-11-13 01:22 114688 --a------ C:\Program Files\Rqdetcoa\fkywyibl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{261C35B4-9283-6344-C5C0-005CF873D624}]
2007-11-11 20:30 114688 --a------ C:\Program Files\Gkclneuw\fxucqnrd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7432bac8-7048-4f5b-9c42-51fd3a2dff40}]
2007-11-15 12:29 79936 --a------ C:\WINDOWS\system32\nowcgfih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
2007-11-12 07:33 17920 --a------ C:\Program Files\E404 Helper\e404.v4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 02:00]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-09-14 11:10]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 14:52]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-08-16 13:08]
"POINTER"="point32.exe" []
"vptray"="C:\Program Files\NavNT\vptray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-22 11:12]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"24941ad8"="C:\WINDOWS\system32\yhyqsbje.dll" [2007-11-15 12:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 09:20]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-11-14 20:39]
"Taen"="C:\WINDOWS\MBOLS~1\dllhost.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2006-12-03 19:37:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-06 21:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtss.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 23:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 00:44:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@???@?? C???????@?????????@?B???A???????A?0?????B???@?????P?????@?? ????????A~??????????@?:?$???????????????B?????<????????????????????`????????B
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???$??????s?????\?w? ?w???????w???w4???l???.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????????U?A~??A~\???\???????h?a??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 0:55:39 - machine was rebooted
.
--- E O F ---

ahh....i just realized i can still give you a scan report from winPFind3U.... here it is:

WinPFind3 logfile created on: 11/16/2007 2:44:30 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\scott\Desktop\winpfind3u\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

511.53 Mb Total Physical Memory | 181.60 Mb Available Physical Memory | 35.50% Memory free
1.22 Gb Paging File | 0.90 Gb Available in Paging File | 73.63% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 21.45 Gb Free Space | 28.79% Space Free
Drive D: | 28.62 Gb Total Space | 1.37 Gb Free Space | 4.78% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: CARLOS
Current User Name: scott
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.0.2003051500 | Size = 217193 bytes | Modified Date = 5/15/2003 1:19:50 AM | Attr = ]
aim6.exe -> %ProgramFiles%\AIM6\aim6.exe -> AOL LLC [Ver = 1.4.9.1 | Size = 50528 bytes | Modified Date = 10/4/2007 9:20:56 AM | Attr = ]
aolsoftware.exe -> %ProgramFiles%\AIM6\aolsoftware.exe -> AOL LLC [Ver = 15.5.1.2 | Size = 42032 bytes | Modified Date = 5/25/2007 11:16:08 AM | Attr = ]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 9/6/2007 1:28:18 PM | Attr = ]
cdantsrv.exe -> %System32%\drivers\CDANTSRV.EXE -> C-Dilla Ltd [Ver = 3.27.000 | Size = 46080 bytes | Modified Date = 1/7/2003 5:28:44 PM | Attr = ]
ctnotify.exe -> %ProgramFiles%\Creative\ShareDLL\CTNotify.exe -> Creative Technology Ltd. [Ver = 2.00.02.0 | Size = 191488 bytes | Modified Date = 8/1/2001 2:00:00 AM | Attr = ]
ctsvccda.exe -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 1:01:00 AM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.9: 2007102514 | Size = 7649128 bytes | Modified Date = 11/4/2007 3:27:18 PM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 6:31:10 AM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 503608 bytes | Modified Date = 9/26/2007 2:41:56 PM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 267064 bytes | Modified Date = 9/26/2007 2:42:04 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 83608 bytes | Modified Date = 3/14/2007 2:43:44 AM | Attr = ]
lexbces.exe -> %System32%\LexBceS.exe -> Lexmark International, Inc. [Ver = 5,11,00,00 | Size = 278016 bytes | Modified Date = 8/16/2000 1:13:54 PM | Attr = ]
lexpps.exe -> %System32%\Lexpps.exe -> Lexmark International, Inc. [Ver = 5,11,00,00 | Size = 169984 bytes | Modified Date = 8/16/2000 1:10:26 PM | Attr = ]
mediadet.exe -> %ProgramFiles%\Creative\ShareDLL\Mediadet.exe -> Creative Technology Ltd. [Ver = 2.00.02.0 | Size = 166912 bytes | Modified Date = 8/1/2001 2:00:00 AM | Attr = ]
nintendowfcreg.exe -> %ProgramFiles%\WiFiConnector\NintendoWFCReg.exe -> [Ver = 1, 0, 0, 33 | Size = 1073152 bytes | Modified Date = 4/20/2006 11:45:34 AM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 77824 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr = ]
printray.exe -> %System32%\spool\drivers\w32x86\2\printray.exe -> Lexmark [Ver = 1, 0, 0, 5 | Size = 36864 bytes | Modified Date = 8/16/2000 1:08:16 PM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 10/22/2006 11:12:02 AM | Attr = ]
viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 112336 bytes | Modified Date = 1/4/2007 3:38:20 PM | Attr = ]
viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 3:38:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 9/6/2007 1:28:18 PM | Attr = ]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [Ver = | Size = 32768 bytes | Modified Date = 7/15/2004 1:49:26 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 6:31:10 AM | Attr = ]
(C-DillaSrv) C-DillaSrv [Win32_Own | Auto | Running] -> %System32%\drivers\CDANTSRV.EXE -> C-Dilla Ltd [Ver = 3.27.000 | Size = 46080 bytes | Modified Date = 1/7/2003 5:28:44 PM | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 1:01:00 AM | Attr = ]
(DefWatch) DefWatch [Win32_Own | Auto | Stopped] -> %ProgramFiles%\NavNT\defwatch.exe -> File not found
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 1:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 503608 bytes | Modified Date = 9/26/2007 2:41:56 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LexBceS.exe -> Lexmark International, Inc. [Ver = 5,11,00,00 | Size = 278016 bytes | Modified Date = 8/16/2000 1:13:54 PM | Attr = ]
(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macromedia Shared\Service\Macromedia Licensing.exe -> [Ver = 2.42.000 | Size = 68096 bytes | Modified Date = 2/11/2005 1:19:00 PM | Attr = ]
(Norton AntiVirus Server) Norton AntiVirus Client [Win32_Own | Auto | Stopped] -> %ProgramFiles%\NavNT\rtvscan.exe -> File not found
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 77824 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr = ]
(Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 3:38:10 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
CTStartup -> %ProgramFiles%\Creative\Splash Screen\CTEaxSpl.exe -> Creative Technology Ltd. [Ver = 1, 1, 0, 0 | Size = 28672 bytes | Modified Date = 9/14/2001 11:10:00 AM | Attr = ]
Disc Detector -> %ProgramFiles%\Creative\ShareDLL\CTNotify.exe -> Creative Technology Ltd. [Ver = 2.00.02.0 | Size = 191488 bytes | Modified Date = 8/1/2001 2:00:00 AM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.4.3.1 | Size = 267064 bytes | Modified Date = 9/26/2007 2:42:04 PM | Attr = ]
Jet Detection -> %ProgramFiles%\Creative\SBAudigy\Program\ADGJDet.exe -> [Ver = 1, 0, 0, 0 | Size = 28672 bytes | Modified Date = 4/20/2001 2:52:40 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 323584 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr = ]
PrinTray -> %System32%\spool\drivers\w32x86\2\printray.exe -> Lexmark [Ver = 1, 0, 0, 5 | Size = 36864 bytes | Modified Date = 8/16/2000 1:08:16 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 6:24:52 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 83608 bytes | Modified Date = 3/14/2007 2:43:44 AM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 10/22/2006 11:12:02 AM | Attr = ]
UpdReg -> %SystemRoot%\Updreg.exe -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 5/11/2000 1:00:00 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 -> %ProgramFiles%\AIM6\aim6.exe -> AOL LLC [Ver = 1.4.9.1 | Size = 50528 bytes | Modified Date = 10/4/2007 9:20:56 AM | Attr = ]
Steam -> %ProgramFiles%\Steam\Steam.exe -> Valve Corporation [Ver = 1.0.0.0 | Size = 1271032 bytes | Modified Date = 11/14/2007 8:39:08 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Acrobat Assistant.lnk -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.0.2003051500 | Size = 217193 bytes | Modified Date = 5/15/2003 1:19:50 AM | Attr = ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr = ]
%AllUsersStartup%\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk -> %ProgramFiles%\WiFiConnector\NintendoWFCReg.exe -> [Ver = 1, 0, 0, 33 | Size = 1073152 bytes | Modified Date = 4/20/2006 11:45:34 AM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
wbsys.dll -> %System32%\wbsys.dll -> Stardock.Net, Inc [Ver = 4, 0, 0, 0 | Size = 36864 bytes | Modified Date = 2/26/2003 9:27:44 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 6:29:58 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
xlibgfl254.dll -> xlibgfl254.dll -> File not found
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
NavLogon -> %System32%\NavLogon.dll -> [Ver = | Size = 45056 bytes | Modified Date = 9/24/2001 7:59:00 AM | Attr = ]
WBSrv -> %ProgramFiles%\Stardock\Object Desktop\WindowBlinds\WbSrv.dll -> Stardock [Ver = 5, 0, 0, 1 | Size = 176128 bytes | Modified Date = 12/6/2005 9:16:30 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> _
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft...p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft...p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn...st/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Start Page -> http://www.microsoft...p...&ar=msnhome ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr = ]
{200D0AAD-71B1-51C9-DDB0-092BA4662A54} [HKLM] -> %ProgramFiles%\Rqdetcoa\fkywyibl.dll [Reg Data - Value does not exist] -> [Ver = | Size = 114688 bytes | Modified Date = 11/13/2007 1:22:14 AM | Attr = ]
{261C35B4-9283-6344-C5C0-005CF873D624} [HKLM] -> %ProgramFiles%\Gkclneuw\fxucqnrd.dll [Reg Data - Value does not exist] -> [Ver = | Size = 114688 bytes | Modified Date = 11/11/2007 8:30:54 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 3, 0, 12 | Size = 744960 bytes | Modified Date = 5/12/2004 12:03:00 AM | Attr = ]
{7432bac8-7048-4f5b-9c42-51fd3a2dff40} [HKLM] -> %System32%\nowcgfih.dll [Reg Data - Value does not exist] -> [Ver = | Size = 79936 bytes | Modified Date = 11/15/2007 12:29:44 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 3/14/2007 2:43:40 AM | Attr = ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{A7327C09-B521-4EDB-8509-7D2660C9EC98} [HKLM] -> %ProgramFiles%\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll [Viewpoint Toolbar BHO] -> Viewpoint Corporation [Ver = 3, 8, 0, 29 | Size = 38584 bytes | Modified Date = 2/24/2007 1:33:52 PM | Attr = ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [AcroIEToolbarHelper Class] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
{F10587E9-0E47-4CBE-84AE-7DD20B8684BB} [HKLM] -> %ProgramFiles%\E404 Helper\e404.v4.dll [e404mgr Class] -> [Ver = 1, 0, 0, 1 | Size = 17920 bytes | Modified Date = 11/12/2007 7:33:22 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} [HKLM] -> %CommonProgramFiles%\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll [Viewpoint Toolbar] -> Viewpoint Corporation [Ver = 3, 8, 0, 29 | Size = 333472 bytes | Modified Date = 2/24/2007 1:33:40 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 5/15/2003 1:03:46 AM | Attr = ]
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\npjpi160_01.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 132760 bytes | Modified Date = 3/14/2007 2:43:42 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 3/14/2007 2:43:40 AM | Attr = ]
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.6089 | Size = 67112 bytes | Modified Date = 8/1/2006 2:35:36 PM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
{F4430FE8-2638-42e5-B849-800749B94EED} -> %ProgramFiles%\PartyPoker.net\partypokernet.exe [ButtonText: PartyPoker.net] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{19350190-B42D-4436-A09D-CCD6EBCBA02E} -> (1394 Net Adapter) ->
{2CC22759-1140-44F9-AB80-3B2BC8FBEC32} -> (Nintendo Wi-Fi USB Connector) ->
{8572293F-E8D6-4225-99D0-A1E9AD4E7518} -> (HP NetServer 10/100TX PCI LAN Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{01010E00-5E80-11D8-9E86-0007E96C65AE} -> SupportSoft SmartIssue - CodeBase = http://www.symantec....trl/tgctlsi.cab ->
{01012101-5E80-11D8-9E86-0007E96C65AE} -> SupportSoft Script Runner Class - CodeBase = http://www.symantec....trl/tgctlsr.cab ->
{14B87622-7E19-4EA8-93B3-97215F77A6BC} -> MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab ->
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} -> - CodeBase = http://www.symantec....rl/LSSupCtl.cab ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://gfx2.mail.liv...es/MSNPUpld.cab ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.micros...b?1122278741803 ->
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} -> WScanCtl Class - CodeBase = http://www3.ca.com/s...nfo/webscan.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -> MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab ->
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} -> Java Plug-in 1.5.0 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_02 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -> - CodeBase = http://www.symantec....rl/SymAData.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macr...ash/swflash.cab ->

[Files/Folders - Created Within 30 days]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Created Date = 11/11/2007 10:59:05 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536449024 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 11/16/2007 12:24:55 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 11/15/2007 11:28:31 AM | Attr = ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ -> [Folder | Created Date = 11/15/2007 11:27:33 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136704 bytes | Created Date = 11/16/2007 12:23:41 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 11/16/2007 12:35:22 AM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 11/16/2007 12:23:41 AM | Attr = ]
nview -> %SystemRoot%\nview -> [Folder | Created Date = 10/18/2007 4:02:10 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 11/4/2007 1:46:38 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 11/4/2007 1:46:38 PM | Attr = H ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 104 bytes | Created Date = 11/12/2007 8:00:29 AM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 11/15/2007 12:44:35 AM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 11/15/2007 12:45:16 AM | Attr = ]
dumphive.exe -> %System32%\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
edsdrkga.ini -> %System32%\edsdrkga.ini -> [Ver = | Size = 669330 bytes | Created Date = 11/14/2007 12:03:11 PM | Attr = HS]
ejbsqyhy.ini -> %System32%\ejbsqyhy.ini -> [Ver = | Size = 669570 bytes | Created Date = 11/15/2007 12:29:38 PM | Attr = HS]
fcijytnp.ini -> %System32%\fcijytnp.ini -> [Ver = | Size = 590425 bytes | Created Date = 11/12/2007 12:35:13 PM | Attr = HS]
gtmxrine.dll -> %System32%\gtmxrine.dll -> [Ver = | Size = 79424 bytes | Created Date = 11/14/2007 12:03:06 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 11/15/2007 12:44:44 AM | Attr = ]
kohifqdl.exe -> %System32%\kohifqdl.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Created Date = 11/15/2007 12:24:03 PM | Attr = ]
nowcgfih.dll -> %System32%\nowcgfih.dll -> [Ver = | Size = 79936 bytes | Created Date = 11/15/2007 12:29:41 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 11/15/2007 12:44:41 AM | Attr = ]
pntyjicf.dll -> %System32%\pntyjicf.dll -> [Ver = | Size = 89664 bytes | Created Date = 11/12/2007 12:35:02 PM | Attr = ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
skwhaofo.exe -> %System32%\skwhaofo.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Created Date = 11/12/2007 12:26:02 PM | Attr = ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3080 bytes | Created Date = 11/12/2007 12:41:42 PM | Attr = ]
ttvwa.ini -> %System32%\ttvwa.ini -> [Ver = | Size = 353 bytes | Created Date = 11/11/2007 8:36:44 PM | Attr = HS]
twepokio.dll -> %System32%\twepokio.dll -> [Ver = | Size = 81472 bytes | Created Date = 11/12/2007 12:38:02 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 11/15/2007 12:44:44 AM | Attr = ]
VCCLSID.exe -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 11/16/2007 12:23:40 AM | Attr = ]
WS2Fix.exe -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Created Date = 11/13/2007 1:06:03 AM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 11/15/2007 12:45:16 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 11/13/2007 1:37:08 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Modified Date = 11/11/2007 10:59:06 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 11/4/2007 3:31:16 PM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536449024 bytes | Modified Date = 11/16/2007 2:17:14 AM | Attr = HS]
IPH.PH -> %SystemDrive%\IPH.PH -> [Ver = | Size = 1973 bytes | Modified Date = 11/2/2007 2:24:02 AM | Attr = H ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 11/16/2007 12:33:26 AM | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 11/16/2007 12:55:32 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 11/15/2007 11:51:58 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 11/16/2007 12:35:24 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 11/15/2007 11:26:40 AM | Attr = H ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ -> [Folder | Modified Date = 11/15/2007 11:27:36 AM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 11/16/2007 2:17:18 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136704 bytes | Modified Date = 11/8/2007 4:59:02 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 11/15/2007 12:44:40 AM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 11/16/2007 12:35:24 AM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 10/18/2007 4:02:12 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 11/15/2007 11:27:48 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 11/4/2007 3:27:58 PM | Attr = HS]
nview -> %SystemRoot%\nview -> [Folder | Modified Date = 10/18/2007 4:02:12 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 11/16/2007 2:37:32 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 11/4/2007 1:46:40 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 11/16/2007 2:17:48 AM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 11/11/2007 10:40:30 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 11/16/2007 1:06:10 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 11/4/2007 1:38:10 PM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 11/16/2007 2:17:48 AM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 104 bytes | Modified Date = 11/12/2007 8:00:30 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 11/4/2007 1:40:34 PM | Attr = ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [Ver = | Size = 284 bytes | Modified Date = 11/7/2007 5:14:02 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 11/16/2007 2:17:22 AM | Attr = H ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 11/15/2007 12:45:48 AM | Attr = ]
BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 23196 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 23196 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
BMXState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXState-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 18560 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> %System32%\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.rfx -> [Ver = | Size = 18560 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 11/15/2007 11:26:34 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 11/16/2007 12:35:48 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 11/15/2007 11:49:36 AM | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 11/16/2007 12:26:48 AM | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 11/4/2007 1:40:52 PM | Attr = ]
DVCState-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> %System32%\DVCState-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> [Ver = | Size = 24 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
DVCStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> %System32%\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat -> [Ver = | Size = 24 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
edsdrkga.ini -> %System32%\edsdrkga.ini -> [Ver = | Size = 669330 bytes | Modified Date = 11/15/2007 12:24:24 PM | Attr = HS]
ejbsqyhy.ini -> %System32%\ejbsqyhy.ini -> [Ver = | Size = 669570 bytes | Modified Date = 11/16/2007 12:55:52 AM | Attr = HS]
fcijytnp.ini -> %System32%\fcijytnp.ini -> [Ver = | Size = 590425 bytes | Modified Date = 11/12/2007 1:01:10 PM | Attr = HS]
gtmxrine.dll -> %System32%\gtmxrine.dll -> [Ver = | Size = 79424 bytes | Modified Date = 11/14/2007 12:03:08 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 11/15/2007 12:44:46 AM | Attr = ]
kohifqdl.exe -> %System32%\kohifqdl.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Modified Date = 11/15/2007 12:24:04 PM | Attr = ]
nowcgfih.dll -> %System32%\nowcgfih.dll -> [Ver = | Size = 79936 bytes | Modified Date = 11/15/2007 12:29:44 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 11/15/2007 12:44:46 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 52968 bytes | Modified Date = 11/4/2007 3:32:46 PM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 380680 bytes | Modified Date = 11/4/2007 3:32:46 PM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 439552 bytes | Modified Date = 11/4/2007 3:32:46 PM | Attr = ]
pntyjicf.dll -> %System32%\pntyjicf.dll -> [Ver = | Size = 89664 bytes | Modified Date = 11/12/2007 12:35:04 PM | Attr = ]
settings.sfm -> %System32%\settings.sfm -> [Ver = | Size = 1072 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
settingsbkup.sfm -> %System32%\settingsbkup.sfm -> [Ver = | Size = 1072 bytes | Modified Date = 11/16/2007 2:16:30 AM | Attr = ]
skwhaofo.exe -> %System32%\skwhaofo.exe -> [Ver = 1, 0, 0, 1 | Size = 71232 bytes | Modified Date = 11/12/2007 12:26:06 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3080 bytes | Modified Date = 11/16/2007 12:17:40 AM | Attr = ]
ttvwa.ini -> %System32%\ttvwa.ini -> [Ver = | Size = 353 bytes | Modified Date = 11/11/2007 8:36:46 PM | Attr = HS]
twepokio.dll -> %System32%\twepokio.dll -> [Ver = | Size = 81472 bytes | Modified Date = 11/12/2007 12:38:04 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 11/15/2007 12:44:46 AM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 11/11/2007 10:40:30 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 11/16/2007 2:18:00 AM | Attr = ]
_PersonalityVert1.WB4 -> %System32%\_PersonalityVert1.WB4 -> [Ver = | Size = 274 bytes | Modified Date = 10/23/2007 5:35:18 PM | Attr = ]
_PersonalityVert2.WB4 -> %System32%\_PersonalityVert2.WB4 -> [Ver = | Size = 274 bytes | Modified Date = 10/23/2007 5:35:18 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 11/16/2007 12:43:50 AM | Attr = ]
hosts.ics -> %System32%\drivers\etc\hosts.ics -> [Ver = | Size = 430 bytes | Modified Date = 11/16/2007 2:17:50 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 12/31/2002 6:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.6.1.4 | Size = 740442 bytes | Modified Date = 5/31/2007 12:44:56 AM | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 10/22/2006 11:12:08 AM | Attr = ]
Thawte Consulting , -> %System32%\SmartUI2.ocx -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 2.00.6553 | Size = 870152 bytes | Modified Date = 3/15/2007 11:22:38 AM | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 4:49:30 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Modified Date = 1/9/2006 9:36:06 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Modified Date = 12/1/2006 5:20:34 AM | Attr = ]
UPX! , UPX0 , -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Modified Date = 9/5/2007 11:22:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 12/31/2002 6:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Modified Date = 10/3/2007 11:36:46 PM | Attr = ]
Thawte Consulting , -> %System32%\XceedCry.dll -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 1.1.6461.0 | Size = 526184 bytes | Modified Date = 3/15/2007 11:19:58 AM | Attr = ]
Thawte Consulting , -> %System32%\XceedZip.dll -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 6.0.6621.0 | Size = 497496 bytes | Modified Date = 3/15/2007 11:23:16 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 12/31/2002 6:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 11:41:38 PM | Attr = ]

< End of report >

Hello

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\yhyqsbje.dll
C:\WINDOWS\system32\nowcgfih.dll
C:\WINDOWS\system32\kohifqdl.exe
C:\WINDOWS\system32\gtmxrine.dll
C:\WINDOWS\system32\samjlpcv.exe
C:\WINDOWS\system32\twepokio.dll
C:\WINDOWS\system32\pntyjicf.dll
C:\WINDOWS\system32\skwhaofo.exe

Folder::
C:\Program Files\Gxhczchj
C:\Program Files\Rqdetcoa
C:\Program Files\E404 Helper
C:\Program Files\Gkclneuw
C:\Program Files\dstqvuty
C:\Program Files\wpqpmnaj

Registry::
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log.

Oh and guard.exe is related to AVG anti-spyware so it is ok to have running.

Will have to find out about donations. Just telling people about the site would be of help !

ok, backed up the reg., and ran combofix...but i uhh...we seem to have misplaced my taskbar...its gotta be somewhere around here...

its down there. all two pixels tall of it. i can right click on it to get options, but i cant get it to come up.

so heres my combofix log for you for now....ill run hijack this right now and post it when its finished.

hopefully we can get my taskbar back in the meantime, that would be pretty sweet. like, totally sweet.

ComboFix 07-11-08.3 - scott 2007-11-16 3:24:47.2 - NTFSx86
Running from: C:\Documents and Settings\scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\scott\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\gtmxrine.dll
C:\WINDOWS\system32\kohifqdl.exe
C:\WINDOWS\system32\nowcgfih.dll
C:\WINDOWS\system32\pntyjicf.dll
C:\WINDOWS\system32\samjlpcv.exe
C:\WINDOWS\system32\skwhaofo.exe
C:\WINDOWS\system32\twepokio.dll
C:\WINDOWS\system32\yhyqsbje.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\dstqvuty
C:\Program Files\dstqvuty\jadmnkrq.dll
C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v3.dll
C:\Program Files\E404 Helper\e404.v4.dll
C:\Program Files\Gkclneuw
C:\Program Files\Gkclneuw\fxucqnrd.dll
C:\Program Files\Gxhczchj
C:\Program Files\Gxhczchj\dpaqrvgy.dll
C:\Program Files\Rqdetcoa
C:\Program Files\Rqdetcoa\fkywyibl.dll
C:\Program Files\wpqpmnaj
C:\Program Files\wpqpmnaj\cnazyjwd.dll
C:\WINDOWS\system32\gtmxrine.dll
C:\WINDOWS\system32\kohifqdl.exe
C:\WINDOWS\system32\nowcgfih.dll
C:\WINDOWS\system32\pntyjicf.dll
C:\WINDOWS\system32\skwhaofo.exe
C:\WINDOWS\system32\twepokio.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 00:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 11:28 <DIR> d-------- C:\VundoFix Backups
2007-11-15 01:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 00:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-14 12:19 <DIR> d-------- C:\Documents and Settings\scott\Application Data\ultra
2007-11-14 12:19 161,344 --a------ C:\Documents and Settings\scott\Application Data\trant.exe
2007-11-13 01:37 <DIR> d-------- C:\Documents and Settings\scott\Application Data\Grisoft
2007-11-13 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 01:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-13 01:06 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-13 01:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-13 01:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-13 01:06 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-13 01:06 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-12 12:41 3,080 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-04 13:45 <DIR> d-------- C:\Program Files\iTunes
2007-11-04 13:42 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 13:40 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-04 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-18 04:02 <DIR> d-------- C:\WINDOWS\nview
2007-10-18 03:51 <DIR> d-------- C:\Documents and Settings\scott\Application Data\SystemRequirementsLab
2007-10-18 03:12 <DIR> d-------- C:\Program Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 19:45 --------- d-----w C:\Program Files\iPod
2007-11-04 19:38 --------- d-----w C:\Program Files\Apple Software Update
2007-10-27 07:11 --------- d-----w C:\Program Files\AIM6
2007-10-27 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-30 22:14 389 ----a-w C:\Documents and Settings\scott\rockconfig.dat
2007-09-30 22:00 3,681 ----a-w C:\Documents and Settings\scott\rocklist.dat
2007-09-24 20:58 --------- d-----w C:\Program Files\Xvid
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-01-20 18:40 370,312 ----a-w C:\Documents and Settings\scott\jre-6-windows-i586-iftw.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-16_ 0.45.17.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-16-2007\ERDNT.EXE
+ 2007-11-16 09:20:19 6,737,920 ----a-w C:\WINDOWS\erdnt\11-16-2007\Users\00000001\ntuser.dat
+ 2007-11-16 09:20:20 155,648 ----a-w C:\WINDOWS\erdnt\11-16-2007\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 02:00]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-09-14 11:10]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 14:52]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-08-16 13:08]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-22 11:12]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 09:20]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-11-14 20:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-06 21:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 23:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 03:35:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?????D?????Ow?%B???????????????????B???A~??A~??????????????????@???@?? C???????@?????????@?B???A???????A?P?????B???@?????P?????????????????A~??????????@???????????????????B?????\?????????????????????????????B
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???$??????s?????\?w? ?w???????w???w4???l???.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????????U?A~??A~\???\???????`n`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 3:40:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-16 00:55
.
--- E O F ---

Edited by karl_hungus, 16 November 2007 - 03:54 AM.

annnnnnnnnd heres the new hijackthis scan log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:57, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-21-299502267-1757981266-839522115-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-299502267-1757981266-839522115-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-299502267-1757981266-839522115-1005\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User '?')
O4 - HKUS\S-1-5-21-299502267-1757981266-839522115-1005\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (User '?')
O4 - S-1-5-21-299502267-1757981266-839522115-1005 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User '?')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.liv...es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122278741803
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8593 bytes

Not sure why your task bar is acting like that. Remind me near the end if it is still acting weird.

Can you please run HijackThis again and post the log here.

not meaning to be a pest, but the hijackthis log is up there now above your post in case you didnt catch it...we posted at the same time.

Edited by karl_hungus, 16 November 2007 - 04:07 AM.

Haha yeah you are right, we must have posted at practically the same time

Well your logs are looking clean. Lets just do two more scans to be sure, then we can tackle your task manager problem.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

* Click here to download AVG Anti Rootkit and save it to your desktop.

• Double-click on the AVG_AntiRootkit_1.0.0.42.exe file to run it.
• Click "I Agree" to agree to the EULA.
• By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
• Click "Next" to begin the installation then click "Install".
• It will then ask you to reboot now to finish the installation.
• Click "Finish" and your computer will reboot.
• After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
• Click on the "Perform in-depth search" button to begin the scan.
• The scan will take a while so be patient and let it complete.
• When the scan is finished, click the "Save result to file" button.
• Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.

umm...i cant get kapersky to do anything. i click on accept on the EULA, and nothin. do you want me to go ahead with AVG, or do something else?

EDIT: usually i at least get a notification from firefox with activeX stuff.

Edited by karl_hungus, 16 November 2007 - 04:28 AM.