[mendillo]

Here's the sequence of events:

I had installed Sunbelt Firewall because I was told to by one of your administrators as he/she was fixing my previous problem. It was only a trial so time with it was limited.

Today it tells me the trial is over so I go online to find a crack or keygen something to get a registration code cuz i couldn't afford it (mistake #1). I then downloaded what i thought was a crack (mistake #2) and i think it unleashed a maelstrom of viruses and bad things on my computer. I started getting [bleep] pop-ups, [bleep] programs, and Internet Explorer ads and emergency popups for virus protection. I knew this was a problem because I never used IE, i use Firefox.

I ended the harmful looking processes in the Task Manager and went on with my life. Next, I went to scan something into my computer with a new scanner i just installed yesterday. the Lexmark x4550. The scan wouldn't work. I went onto the Lexmark Support website and spoke to someone who told me to repair the Microsoft NET Framework 2.0 via Add/Remove programs. The end of the repair required me to restart so i did and when the computer came back on.... I have myself a brand new desktop of a BIOHAZARD symbol covered in blood saying "You need to protect your computer!" or something along those lines. Someone hacked my computer and changed my desktop.

I'm seriously EFFED. I couldn't even get to Hijack This in regular mode so i manually rebooted and created a HijackThis Log. Here it is. PLEASE help me as soon as you can. I'm really worried and I cant afford to lose this computer or get a new one.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:26 PM, on 9/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\Programs\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL

= http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O3 - Toolbar: Lexmark Toolbar -

{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark

Toolbar\toolband.dll
O3 - Toolbar: peltodgx - {6BB63D88-1867-4FA4-ACDC-0510AE4956E4} -

C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI]

C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network

Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support

Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support

Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500

Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500

Series\lxdiamon.exe"
O4 - HKLM\..\Run: [\YUR76.exe] C:\Windows\system32\YUR76.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdezq.exe]

C:\WINDOWS\system32\kdezq.exe
O4 - HKLM\..\Run: [\YUR77.exe] C:\Windows\system32\YUR77.exe
O4 - HKLM\..\Run: [\YUR78.exe] C:\Windows\system32\YUR78.exe
O4 - HKLM\..\Run: [\YUR7A.exe] C:\Windows\system32\YUR7A.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKLM\..\Run: [e032b96b] rundll32.exe

"C:\WINDOWS\system32\frkosybh.dll",b
O4 - HKLM\..\Run: [larepemijo] Rundll32.exe

"C:\WINDOWS\system32\petolahu.dll",s
O4 - HKLM\..\Run: [\YURA.exe] C:\Windows\system32\YURA.exe
O4 - HKLM\..\Run: [\YURB.exe] C:\Windows\system32\YURB.exe
O4 - HKLM\..\Run: [\YURC.exe] C:\Windows\system32\YURC.exe
O4 - HKLM\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
O4 - HKLM\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKLM\..\Run: [\YUR13.exe] C:\Windows\system32\YUR13.exe
O4 - HKLM\..\Run: [\YUR14.exe] C:\Windows\system32\YUR14.exe
O4 - HKLM\..\Run: [\YUR15.exe] C:\Windows\system32\YUR15.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0

-k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support

Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [\YUR76.exe] C:\Windows\system32\YUR76.exe
O4 - HKCU\..\Run: [\YUR77.exe] C:\Windows\system32\YUR77.exe
O4 - HKCU\..\Run: [\YUR78.exe] C:\Windows\system32\YUR78.exe
O4 - HKCU\..\Run: [\YUR7A.exe] C:\Windows\system32\YUR7A.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKCU\..\Run: [\YURA.exe] C:\Windows\system32\YURA.exe
O4 - HKCU\..\Run: [\YURB.exe] C:\Windows\system32\YURB.exe
O4 - HKCU\..\Run: [\YURC.exe] C:\Windows\system32\YURC.exe
O4 - HKCU\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
O4 - HKCU\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKCU\..\Run: [\YUR13.exe] C:\Windows\system32\YUR13.exe
O4 - HKUS\S-1-5-19\..\Run: [larepemijo] Rundll32.exe

"C:\WINDOWS\system32\petolahu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [larepemijo] Rundll32.exe

"C:\WINDOWS\system32\petolahu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: MEMonitor.lnk = E:\Programs\V CAST Music

Manager\MEMonitor.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O8 - Extra context menu item: Save with Download Manager... -

file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration

- {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter

Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID

Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo

Uploader Control) -

http://upload.facebo...otoUploader.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control)

-

http://pictures05.ai...en-US-AIM.9.5.1.

8.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA

2AA}: NameServer = 85.255.116.108,85.255.112.137
O20 - AppInit_DLLs: leyxxn.dll,C:\WINDOWS\system32\telelepu.dll
O21 - SSODL: onfwbsak - {23CDF480-97DF-4617-B706-B32CBCB5DB4D} -

C:\WINDOWS\onfwbsak.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##

(Bonjour Service) - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program

Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program

Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International,

Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee,

Inc. - C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program

Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -

Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program

Files\SbPFLnch.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner -

C:\Program Files\SafeConnect\scManager.sys servicestart (file

missing)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt

Software, Inc. - C:\Program Files\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter)

(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program

Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless

[Advertisements]

Hello

Open notepad, click Format, uncheck wordwrap


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

[Rorschach112]

Hello

Open notepad, click Format, uncheck wordwrap


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

[mendillo]

Problem.

First of all... when i restart and run the SDFix.exe, do i need to run it in normal mode? cuz that would be impossible as normal mode is out of the question right now.


Secondly, I tried running SDFix.exe in safe mode. I typed Y and enter to make the program run and i left the room. I came back an hour later and it did/was doing nothing. and my menu bar at the bottom of my monitor screen (with the start button) was gone. The comp froze essentially and i manually restarted to get here.

now what should i do?

[mendillo]

QUICK UPDATE:

I attempted to go back into the computer in Normal mode and as the desktop was coming on, the Blue SDFix.exe window was showing saying "SDFix is finishing... this may take several minutes" so i waited.

and waited.

another good hour went by and I hit CTRL+ALT+Del to see what was up. SDFix was a running application, but i clicked on it and it turned to "Not Responding".

Also, in the processes, I found (quantities first):

3 - explorer.exe (even though explorer was CLEARLY not running. I didn't have desktop icons or a Start menu bar

7 - svchost.exe (i dont even know what this is, but i got 7 of them running)

2 - wmiprvse (2 of something i dont know what is)

ALL except System Idle had NO USER NAME. Usually it would have SYSTEM or MY NAME, but none had a user name.

and this file - SbPFSvc.exe - was taking up about 30,000 kb. two other programs took up this much - one of the svchost.exe's and a wmimprvse

OH BY THE WAY - i wouldn't really have gone back to Normal Mode had SDFix.exe worked to begin with. and if after a little while, (without sdfix.exe running), SAFE MODE ended up crapping out on me.

this has got to be the worst situation i have faced with this computer in the last 3 years of owning it. please help as soon as and as frequently as you can.

-nick

[Rorschach112]

Try this in whatever mode works. You can leave the Recovery Console step out

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[mendillo]

This is terrible but even Safe Mode isnt working properly. I double clicked combofix.exe and the i lose an internet connection, my whole computer jams up. My "busy" or "working" LED on my laptop is ON, not even flickering. I have programs in the task manager, processes, appearing and reappearing ending in (xxx).cfexe (xxx prgram name_ which i am assuming is combofix, but combofix never appears. and a bunch of other little things that indicate a poorly running computer.

[Rorschach112]

Can you do this from any mode ?

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

If not post me a new HJT log, make sure wordwrap is off

[mendillo]

I don't think this worked either. I get a message while the bars were about half way (after 30 minutes) saying this...


"Line -1

Error: Error Parsing Function Call"

why can't i just do a successful running of a program? im in safe mode for christsake... SAFE... shouldnt things friggin work? seriously...

[Rorschach112]

Can you post me a new HJT log ?

[mendillo]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:56 PM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: peltodgx - {6BB63D88-1867-4FA4-ACDC-0510AE4956E4} - C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdezq.exe] C:\WINDOWS\system32\kdezq.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKLM\..\Run: [e032b96b] rundll32.exe "C:\WINDOWS\system32\oxjvwxot.dll",b
O4 - HKLM\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s
O4 - HKLM\..\Run: [\YUR14.exe] C:\Windows\system32\YUR14.exe
O4 - HKLM\..\Run: [\YUR15.exe] C:\Windows\system32\YUR15.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKUS\S-1-5-19\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: MEMonitor.lnk = E:\Programs\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.ai...AIM.9.5.1.8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: NameServer = 85.255.116.108,85.255.112.137
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\telelepu.dll mxcyzn.dll
O21 - SSODL: onfwbsak - {23CDF480-97DF-4617-B706-B32CBCB5DB4D} - C:\WINDOWS\onfwbsak.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\SbPFLnch.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - C:\Program Files\SafeConnect\scManager.sys servicestart (file missing)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 8043 bytes

[Rorschach112]

Hello, if the first step fails go onto the next one

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O3 - Toolbar: peltodgx - {6BB63D88-1867-4FA4-ACDC-0510AE4956E4} - C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdezq.exe] C:\WINDOWS\system32\kdezq.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKLM\..\Run: [e032b96b] rundll32.exe "C:\WINDOWS\system32\oxjvwxot.dll",b
O4 - HKLM\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s
O4 - HKLM\..\Run: [\YUR14.exe] C:\Windows\system32\YUR14.exe
O4 - HKLM\..\Run: [\YUR15.exe] C:\Windows\system32\YUR15.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKUS\S-1-5-19\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'NETWORK SERVICE')
O17 - HKLM\System\CCS\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: NameServer = 85.255.116.108,85.255.112.137
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\telelepu.dll mxcyzn.dll
O21 - SSODL: onfwbsak - {23CDF480-97DF-4617-B706-B32CBCB5DB4D} - C:\WINDOWS\onfwbsak.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\peltodgx.dll
  C:\WINDOWS\system32\kdezq.exe
  C:\Program Files\MicroAV
  C:\WINDOWS\system32\oxjvwxot.dll
  C:\WINDOWS\system32\petolahu.dll
  C:\Windows\system32\YUR14.exe
  C:\Windows\system32\YUR15.exe
  C:\WINDOWS\system32\petolahu.dll
  C:\WINDOWS\system32\telelepu.dll
  C:\WINDOWS\system32\mxcyzn.dll
  C:\WINDOWS\privacy_danger
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Then see if you can run Rsit in normal mode, if not, try safe mode with it

[mendillo]

Everything I did, was in Safe mode except retrieving the smitfraud rapport.txt. While I was in normal mode, I felt like I was in this foreign [bleep] world. Everything was slow and explorer.exe kept shutting down. if I would right click something, it would take 5 minutes for the menu to show up. regardless. here are the logs you want this go 'round


Smit Fraud:

SmitFraudFix v2.354

Scan done at 21:21:03.79, Thu 09/25/2008
Run from C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\dfmlxbpkwxo.dll deleted.
C:\WINDOWS\peltodgx.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\fbxrqtwn.exe Deleted
C:\WINDOWS\onfwbsak.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{23CDF480-97DF-4617-B706-B32CBCB5DB4D}]
Deleting [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{23CDF480-97DF-4617-B706-B32CBCB5DB4D}]
C:\WINDOWS\privacy_danger\ Deleted
C:\WINDOWS\system32\1.ico Deleted
C:\WINDOWS\system32\2.ico Deleted
C:\WINDOWS\system32\MicroAV.cpl Deleted
C:\WINDOWS\system32\YUR?.exe Deleted
C:\Program Files\MicroAV\ Deleted
C:\Program Files\PCHealthCenter\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix



»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Dell Wireless 1370 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 85.255.116.108
DNS Server Search Order: 85.255.112.137

HKLM\SYSTEM\CCS\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: NameServer=85.255.116.108,85.255.112.137
HKLM\SYSTEM\CS1\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: NameServer=85.255.116.108,85.255.112.137
HKLM\SYSTEM\CS2\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: NameServer=85.255.116.108,85.255.112.137
HKLM\SYSTEM\CS3\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{51310A3F-B7D4-4142-B8D8-5EF0376EA2AA}: NameServer=85.255.116.108,85.255.112.137
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdezq.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdezq.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» End


MoveIt:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\WINDOWS\peltodgx.dll not found.
File/Folder C:\WINDOWS\system32\kdezq.exe not found.
File/Folder C:\Program Files\MicroAV not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\oxjvwxot.dll
C:\WINDOWS\system32\oxjvwxot.dll NOT unregistered.
C:\WINDOWS\system32\oxjvwxot.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\petolahu.dll
C:\WINDOWS\system32\petolahu.dll NOT unregistered.
C:\WINDOWS\system32\petolahu.dll moved successfully.
C:\Windows\system32\YUR14.exe moved successfully.
C:\Windows\system32\YUR15.exe moved successfully.
File/Folder C:\WINDOWS\system32\petolahu.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\telelepu.dll
C:\WINDOWS\system32\telelepu.dll NOT unregistered.
C:\WINDOWS\system32\telelepu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mxcyzn.dll
C:\WINDOWS\system32\mxcyzn.dll NOT unregistered.
C:\WINDOWS\system32\mxcyzn.dll moved successfully.
File/Folder C:\WINDOWS\privacy_danger not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\NICHOL~1\LOCALS~1\Temp\etilqs_AWbKPlkeReTLyQpMMs3G scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\NICHOL~1\LOCALS~1\Temp\~DF7CA7.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application Data\Mozilla\Firefox\Profiles\a0f7pi4s.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application Data\Mozilla\Firefox\Profiles\a0f7pi4s.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application Data\Mozilla\Firefox\Profiles\a0f7pi4s.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application Data\Mozilla\Firefox\Profiles\a0f7pi4s.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application Data\Mozilla\Firefox\Profiles\a0f7pi4s.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application Data\Mozilla\Firefox\Profiles\a0f7pi4s.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.2.2 log created on 09262008_010750


RSit (info.txt)

info.txt logfile of random's system information tool 1.02 2008-09-26 01:22:33

======Uninstall list======

-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->MsiExec.exe /I{0CDCA5CD-C404-41FD-9216-9B4B3D24A7AA}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat - Reader 6.0.2 Update-->MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe InDesign CS3-->C:\Program Files\Common Files\Adobe\Installers\05ba3a63f36684fe0c5dde2ebe6f8f5\Setup.exe
Adobe InDesign CS3-->MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Setup-->MsiExec.exe /I{56B8B892-317E-4FDE-9E4D-44B189848A27}
Adobe Setup-->MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SING CS3-->MsiExec.exe /I{3F9B2FD2-1C83-4401-9967-C3636638E958}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AIM "You've Got Pictures" Picture Finder Plugin v9.5.1.8-->C:\Program Files\Common Files\YGP\Plugins\AIM\9_5_1_8a\YGPInstallerAim.exe /u -d"AIM" -p"AIM" -len-US-AIM
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOLIcon-->MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Mobile Device Support-->MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BitPim 1.0.5-->"E:\Programs\BitPim\unins000.exe"
Broadcom Management Programs-->MsiExec.exe /I{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
Camtasia Studio 4-->MsiExec.exe /I{1C6D9FD0-8BE2-4226-8D9F-4929CBC1C396}
Conexant HDA D110 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
dBpoweramp FLAC Codec-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
dBpoweramp Music Converter-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience-->MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Support Center-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Wireless WLAN Card-->C:\WINDOWS\system32\BCMWLU00.exe verbose
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Direct MIDI to MP3 Converter version 5.0.1.19-->"E:\Programs\midi2mp3\Direct MIDI to MP3 Converter\unins000.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Subtitle Displayer 5.00-->"C:\Program Files\DivX Subtitle Displayer\unins000.exe"
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EncFlac 1.1.2-->"E:\Programs\Winamp\EncFlac-Uninstall.exe"
Final Draft 7-->MsiExec.exe /I{78D62D17-D970-42DA-B8CF-5E5576293B33}
Free MOV 2 AVI -->C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\Free MOV 2 AVI\uninst.exe
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Guitar Pro 5.2-->"E:\Programs\Guitar Pro 5.2 (with complete RSE packs)\Guitar Pro 5\unins000.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"E:\Programs\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ImgBurn-->"E:\Programs\ImgBurn\uninstall.exe"
InFlac 1.1.1-->"E:\Programs\Winamp\InFlac-Uninstall.exe"
Intel® Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Internal Network Card Power Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iPod for Windows 2006-01-10-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
IsoBuster 2.0-->"C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes-->MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Jasc Paint Shop Photo Album 5-->MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon-->MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark 3500-4500 Series-->C:\Program Files\Lexmark 3500-4500 Series\Install\x86\Uninst.exe
Lexmark Toolbar-->regsvr32.exe /s /u "C:\Program Files\Lexmark Toolbar\toolband.dll"
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
LiveUpdate 1.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Publisher 2000-->MsiExec.exe /I{00140409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MIDI TO MP3 1.0 DEMO-->C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\MIDI TO MP3 1.0 DEMO\uninst.exe
MixPad-->C:\Program Files\NCH Swift Sound\MixPad\uninst.exe
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Move Networks Player for Internet Explorer-->"C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Move Networks\ie_bin\unins000.exe"
Mozilla Firefox (3.0.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
NCH Toolbox-->C:\Program Files\NCH Swift Sound\ToolBox\uninst.exe
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Norton AntiVirus Corporate Edition-->MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
Oregon Trail II-->C:\WINDOWS\uninst.exe -fe:\programs\games\DeIsL1.isu
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Pdf995-->C:\Program Files\pdf995\setup.exe uninstall
Photo Click-->MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Power Tab Editor 1.7-->MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}
PowerDVD 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickSet-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
QuickTime-->MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
SafeConnect-->"C:\Program Files\SafeConnect\UnInstall.exe"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893066)-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy 1.5.2.20-->"C:\WINDOWS\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Sunbelt Personal Firewall-->MsiExec.exe /X{F61A549E-9C8A-4859-8BFE-2A4A018BBA4A}
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TabIt version 2.03-->"C:\Program Files\TabIt\unins000.exe"
The Rosetta Stone-->C:\WINDOWS\unvise32.exe e:\programs\rosetta stone italian\TRS Support\uninstal.log
Uniblue Registry Booster-->"C:\Program Files\Uniblue\Registry Booster\unins000.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
V CAST Music Manager -->E:\Programs\VCASTM~1\Setup.exe /remove /q0
VideoLAN VLC media player 0.8.6b-->E:\Programs\VLC\uninstall.exe
Vodei Multimedia Processor 2.00-->C:\Program Files\Vodei\uninst.exe
WavePad Uninstall-->C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
WD Diagnostics-->MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WebCyberCoach 3.2 Dell-->"C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Winamp-->"E:\Programs\Winamp\UninstWA.exe"
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XviD 1.1 final uninstall-->"C:\Program Files\XviD\unins000.exe"

======Security center information======

FW: Sunbelt Personal Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------

I have what i believe if a HJT log but you didnt ask for it so i wont bother putting it in this reply. When you asked me to run HJT, out of the files you wanted me to check off, 4-5 or so were not in the scan report. Im sure this is a good thing. But there were also .dll and .exe's that were similar to the ones you wanted me to delete, but you didn't want me to delete these ones. Example - YUR14.exe and YUR15.exe you wanted me to delete, but there were other YUR##.exe's you DIDN'T want me to fix. Just sayin.

lemme know what's next.
thanks
-nick

[Rorschach112]

See if you can get this working, leave the recovery console step, do it in safe mode

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[mendillo]

Hi.

So I ran combofix.exe and it needed to reboot so i figured i'd let it reboot into Normal Mode. Once entering Normal Mode, there were 4-5 red/white circle X's in my lower right tray along with yellow exclamation points telling me of impending attacks and detections and yadda yadda. about 15-20 minutes later, the combofix log popped out. Also, SDFix.exe was finishing up it's reboot-log so i decided to not mess with it and let that finish. So i have that log for you too. And HiJackThis i also ran in Normal Mode.

I can still recognize some uglies but i'll let you be the judge of that.

COMBOFIX

ComboFix 08-09-25.06 - NICHOLAS MENDILLO 2008-09-26 11:05:42.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.300 [GMT -4:00]
Running from: C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\eqxk.exe
C:\WINDOWS\rwlfsdmk.dll
C:\WINDOWS\system32\fugudipi.dll
C:\WINDOWS\system32\hbysokrf.ini
C:\WINDOWS\system32\nnnNhGAq.dll
C:\WINDOWS\system32\QYxHPXyb.ini
C:\WINDOWS\system32\toxwvjxo.ini
C:\WINDOWS\Tasks\moyhxksx.job
C:\x

.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-26 11:21 . 2008-09-24 02:13 25,088 --a--c--- C:\x
2008-09-26 11:21 . 2008-09-24 02:13 25,088 --a------ C:\WINDOWS\system32\YURD.exe
2008-09-26 01:07 . 2008-09-26 01:07 <DIR> d----c--- C:\_OTMoveIt
2008-09-26 00:28 . 2008-09-24 02:13 25,088 --a------ C:\WINDOWS\system32\YUR11.exe
2008-09-25 21:16 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-25 21:16 . 2008-09-19 12:26 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-09-25 21:16 . 2008-09-19 12:26 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-09-25 21:16 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-09-25 16:32 . 2008-09-26 01:22 <DIR> d----c--- C:\rsit
2008-09-25 13:33 . 2008-09-25 13:33 136,320 --a------ C:\WINDOWS\system32\xgyinccj.dll
2008-09-24 19:38 . 2008-09-24 19:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-24 19:23 . 2008-09-25 02:35 <DIR> d----c--- C:\SDFix
2008-09-24 17:42 . 2008-09-24 02:13 24,064 --a------ C:\WINDOWS\system32\YUR13.exe
2008-09-24 17:41 . 2008-09-24 02:13 25,088 --a------ C:\WINDOWS\system32\YUR12.exe
2008-09-24 15:52 . 2008-09-24 15:52 <DIR> d-------- C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Lexmark Productivity Studio
2008-09-24 13:28 . 2008-09-24 13:28 137,344 --a------ C:\WINDOWS\system32\lwughfvg.dll
2008-09-24 13:28 . 2008-09-24 13:28 137,344 --a------ C:\WINDOWS\system32\leyxxn.dll
2008-09-24 13:28 . 2008-09-24 13:28 103,552 --a------ C:\WINDOWS\system32\frkosybh.dll
2008-09-24 13:24 . 2008-09-26 11:06 840,182 --ahs---- C:\WINDOWS\system32\QYxHPXyb.ini2
2008-09-24 13:24 . 2008-09-24 13:24 326,656 --a------ C:\WINDOWS\system32\byXPHxYQ.dll
2008-09-24 13:18 . 2008-09-24 13:18 53,248 --ahs---- C:\WINDOWS\system32\nnnmlMeE.dll
2008-09-24 13:14 . 2008-09-24 02:13 25,088 --a------ C:\WINDOWS\system32\YUR77.exe
2008-09-24 13:14 . 2008-09-24 02:13 25,088 --a------ C:\WINDOWS\system32\YUR76.exe
2008-09-24 13:14 . 2008-09-24 02:13 24,064 --a------ C:\WINDOWS\system32\YUR7A.exe
2008-09-24 13:14 . 2008-09-24 02:13 24,064 --a------ C:\WINDOWS\system32\YUR78.exe
2008-09-24 13:11 . 2008-09-24 13:11 <DIR> dr-hsc--- C:\resycled
2008-09-23 23:59 . 2008-09-23 23:59 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2008-09-23 23:57 . 2008-09-24 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2008-09-23 23:48 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-09-23 23:48 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-09-23 23:46 . 2008-09-23 23:46 <DIR> d----c--- C:\logs
2008-09-23 23:45 . 2006-08-01 01:53 40,960 --a------ C:\WINDOWS\system32\lxdivs.dll
2008-09-23 23:44 . 2007-03-30 10:13 344,064 --a------ C:\WINDOWS\system32\lxdicoin.dll
2008-09-23 23:43 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-23 23:43 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-23 23:42 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-09-23 23:42 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-09-23 23:41 . 2007-03-23 15:44 692,224 --a------ C:\WINDOWS\system32\lxdidrs.dll
2008-09-23 23:41 . 2007-02-09 14:07 69,632 --a------ C:\WINDOWS\system32\lxdicnv4.dll
2008-09-23 23:41 . 2007-01-23 19:40 65,536 --a------ C:\WINDOWS\system32\lxdicaps.dll
2008-09-23 23:20 . 2008-09-23 23:42 <DIR> d-------- C:\Program Files\Lexmark 3500-4500 Series
2008-09-22 23:13 . 2008-09-23 01:34 <DIR> d-------- C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\ImgBurn
2008-09-22 02:35 . 2008-09-22 02:35 <DIR> d-------- C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\dvdcss
2008-09-17 00:46 . 2008-09-24 12:50 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-15 13:59 . 2008-09-24 16:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-15 13:59 . 2008-09-15 13:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-06 15:54 . 2008-09-06 15:55 117,527 --a--c--- C:\Route 2 on Independence Day.mp3
2008-09-06 15:52 . 2008-09-06 15:52 894,504 --a------ C:\Program Files\WGAPluginInstall.exe
2008-08-30 00:15 . 2008-08-30 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-30 00:13 . 2008-08-30 00:14 <DIR> d-------- C:\Program Files\Dell Support Center
2008-08-30 00:13 . 2008-08-30 00:13 <DIR> d-------- C:\Program Files\Common Files\supportsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-26 15:20 --------- d-----w C:\Program Files\Logs
2008-09-26 15:20 --------- d-----w C:\Program Files\Config
2008-09-26 01:38 4,150 ----a-w C:\WINDOWS\system32\tmp.reg
2008-09-24 05:11 --------- d-----w C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\uTorrent
2008-09-24 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-23 02:41 --------- d-----w C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Vso
2008-09-10 03:21 267,056 ----a-w C:\Program Files\uTorrent.exe
2008-09-03 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-09-01 06:24 --------- d-----w C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Registry Booster
2008-08-31 20:07 --------- d-----w C:\Program Files\TabIt
2008-08-30 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-08-25 04:31 --------- d-----w C:\Program Files\Reports
2008-08-25 04:26 --------- d-----w C:\Program Files\wxp
2008-08-25 04:26 --------- d-----w C:\Program Files\w2k
2008-08-25 04:26 --------- d-----w C:\Program Files\Trans
2008-08-25 04:26 --------- d-----w C:\Program Files\License
2008-08-25 04:26 --------- d-----w C:\Program Files\DbgHelp
2008-08-25 04:24 5,991,904 ----a-w C:\Program Files\Sunbelt-Personal-Firewall.exe
2008-08-24 22:18 86,733,638 -c--a-w C:\registrybackup.reg
2008-08-24 17:34 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 17:34 --------- d-----w C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Malwarebytes
2008-08-24 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 17:33 2,085,280 ----a-w C:\Program Files\mbam-setup.exe
2008-08-22 16:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:31 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-17 19:01 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 19:01 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 05:53 --------- d-----w C:\Program Files\Google
2008-07-31 00:59 32,768 ----a-w C:\Program Files\bcd_installed.exe
2008-07-30 14:36 95,528 ----a-w C:\Program Files\SbPFLnch.exe
2008-07-30 14:36 95,528 ----a-w C:\Program Files\SbFw.dll
2008-07-30 14:36 91,432 ----a-w C:\Program Files\SbFwIm.dll
2008-07-30 14:36 79,144 ----a-w C:\Program Files\SbPFWsc.dll
2008-07-30 14:36 62,760 ----a-w C:\Program Files\SDK_Inst.exe
2008-07-30 14:36 275,752 ----a-w C:\Program Files\SbFwe.dll
2008-07-30 14:36 111,912 ----a-w C:\Program Files\SbErrRpt.exe
2008-07-30 14:36 1,705,256 ----a-w C:\Program Files\SbPFCl.exe
2008-07-30 14:36 1,361,192 ----a-w C:\Program Files\SbPFSvc.exe
2008-07-30 13:58 3,293 ----a-w C:\Program Files\Readme.txt
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-12 23:24 1,495,112 ----a-w C:\Program Files\install_flash_player.exe
2008-03-21 15:40 122,879 -c--a-w C:\Program Files\4482-utorrent.8020.dmp
2008-03-19 08:37 144,665 -c--a-w C:\Program Files\4482-utorrent.d009.dmp
2008-03-14 21:38 1,454,656 ----a-w C:\Program Files\Silverlight.exe
2008-02-17 03:12 132,608 ----a-w C:\Program Files\VundoFix.exe
2008-02-15 22:29 50,688 ----a-w C:\Program Files\ATF-Cleaner.exe
2008-02-04 19:04 555,572 ----a-w C:\Program Files\spf4-en.chm
2008-01-29 21:47 125,164 -c--a-w C:\Program Files\4482-utorrent.5094.dmp
2008-01-26 18:36 158,275 -c--a-w C:\Program Files\4482-utorrent.b16a.dmp
2007-12-09 08:36 2,400,784 ----a-w C:\Program Files\WLinstaller.exe
2007-10-02 12:34 148,511 -c--a-w C:\Program Files\4482-utorrent.54f2.dmp
2007-08-10 03:11 1,436,096 ----a-w C:\Program Files\Silverlight.1.0.RC.exe
2007-08-09 11:32 270,336 ----a-w C:\Program Files\cfgconv.exe
2007-06-28 15:41 47,360 -c--a-w C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\pcouffin.sys
2007-05-18 00:40 1,066 -c--a-w C:\Program Files\SuperDAT.log
2007-05-18 00:36 736,180 ----a-w C:\Program Files\CSA.exe
2007-04-09 21:47 5,632 -csha-w C:\Program Files\Thumbs.db
2007-01-22 15:22 859,648 ----a-w C:\Program Files\PocoFoundation.dll
2007-01-22 15:22 470,016 ----a-w C:\Program Files\PocoXML.dll
2007-01-22 15:22 467,456 ----a-w C:\Program Files\PocoNet.dll
2007-01-22 15:22 211,456 ----a-w C:\Program Files\PocoUtil.dll
2007-01-22 15:22 18,432 ----a-w C:\Program Files\PocoExt.dll
2007-01-08 18:15 29,424 ----a-w C:\Program Files\1942.zip
2006-12-24 01:40 680,575 ----a-w C:\Program Files\TabIt-2.03-full.exe
2006-09-25 16:11 263,680 ----a-w C:\Program Files\FairUse4WM.exe
2006-07-19 20:52 466,944 ----a-w C:\Program Files\boost_regex-vc71-mt-1_33_1.dll
2006-03-09 15:59 36,465,208 ----a-w C:\Program Files\iTunesSetup.exe
2006-02-28 19:46 290,816 ----a-w C:\Program Files\curllib.dll
2006-02-14 19:36 97,280 ----a-w C:\Program Files\zlibwapi.dll
2006-02-14 19:36 155,648 ----a-w C:\Program Files\ssleay32.dll
2006-02-14 19:35 888,832 ----a-w C:\Program Files\kticonv.dll
2006-02-14 19:35 827,392 ----a-w C:\Program Files\libeay32.dll
2006-01-21 21:10 11,817,800 ----a-w C:\Program Files\GoogleEarth.exe
2006-01-17 23:28 8,715,352 ----a-w C:\Program Files\Install_AIM.exe
2005-12-05 23:00 74,448 -c----w C:\Program Files\DSETUP.dll
2005-12-05 23:00 484,560 ------w C:\Program Files\DXSETUP.exe
2005-12-05 23:00 2,247,888 -c----w C:\Program Files\dsetup32.dll
2004-11-09 14:21 29,619,712 ----a-w C:\Program Files\finaldraft7.exe
2003-08-20 11:05 41 -c--a-w C:\Program Files\Setup.Ini
2003-03-19 01:20 1,060,864 ----a-w C:\Program Files\mfc71.dll
2003-03-19 01:12 1,047,552 ----a-w C:\Program Files\mfc71u.dll
2003-03-19 00:14 499,712 ----a-w C:\Program Files\msvcp71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{887F904C-85C2-4A71-9872-5D4B5C175CF1}]
2008-09-24 13:24 326656 --a------ C:\WINDOWS\system32\byXPHxYQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 67160]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"\YUR11.exe"="C:\Windows\system32\YUR11.exe" [2008-09-24 25088]
"\YURD.exe"="C:\Windows\system32\YURD.exe" [2008-09-24 25088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 73728]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 77824]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2008-01-24 136512]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"\YUR11.exe"="C:\Windows\system32\YUR11.exe" [2008-09-24 25088]
"\YURD.exe"="C:\Windows\system32\YURD.exe" [2008-09-24 25088]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\NICHOLAS MENDILLO\Start Menu\Programs\Startup\
MEMonitor.lnk - E:\Programs\V CAST Music Manager\MEMonitor.exe [2008-05-23 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-06 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
SafeConnect.lnk - C:\Program Files\SafeConnect\scClient.exe [2007-04-09 206368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\telelepu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�­Ý\†Ð=ŸàÛ±Þ"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\uTorrent.exe"=
"E:\\Programs\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\program files\\bcd_installed.exe"=
"C:\\WINDOWS\\system32\\lxdicoms.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"C:\\WINDOWS\\system32\\lxdicfg.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"C:\\WINDOWS\\system32\\lxdiih.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SbFw;SbFw;C:\WINDOWS\system32\drivers\SbFw.sys [2008-07-16 269736]
R1 sbhips;Sunbelt HIPS Driver;C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe [2007-06-11 517040]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 99248]
R2 SbPF.Launcher;SbPF.Launcher;C:\Program Files\SbPFLnch.exe [2008-07-30 95528]
R2 SCManager;SafeConnect Manager;C:\Program Files\SafeConnect\scManager.sys servicestart [ ]
R2 SPF4;Sunbelt Personal Firewall 4;C:\Program Files\SbPFSvc.exe [2008-07-30 1361192]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{3BC2C1BE-7B91-4A8B-AEBE-B02E3DB8AC83} - C:\WINDOWS\dfmlxbpkwxo.dll
BHO-{9f0ad867-b3cb-4a3c-bb16-e7ed43c85b2a} - C:\WINDOWS\system32\mxcyzn.dll
BHO-{c7122979-4d01-47b3-a419-8e823e623d26} - C:\WINDOWS\system32\fugudipi.dll
BHO-{F77BBE3B-9C38-47F6-99D7-B79B453D0F50} - C:\WINDOWS\system32\nnnNhGAq.dll
HKCU-Run-\YUR10.exe - C:\Windows\system32\YUR10.exe
HKLM-Run-\YUR10.exe - C:\Windows\system32\YUR10.exe
HKLM-Run-larepemijo - C:\WINDOWS\system32\petolahu.dll
ShellExecuteHooks-{F77BBE3B-9C38-47F6-99D7-B79B453D0F50} - C:\WINDOWS\system32\nnnNhGAq.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Mozilla\Firefox\Profiles\a0f7pi4s.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1229.1533\npCIDetect11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 11:21:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Aim\pckfcikf\bartcache\1\CA4AA2292DCC4FD317955E2724514EA5 3262 bytes
C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Aim\pckfcikf\bartcache\1\87E4A9CB07FD8A0F604BC0B6B65270DA 1556 bytes


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [984]
??\C:\WINDOWS\system32\csrss.exe [1124]
??\C:\WINDOWS\system32\winlogon.exe [1148]
C:\WINDOWS\system32\services.exe [1200]
C:\WINDOWS\system32\lsass.exe [1220]
C:\WINDOWS\system32\svchost.exe [1384]
C:\WINDOWS\system32\svchost.exe [1452]
C:\WINDOWS\System32\svchost.exe [1488]
C:\WINDOWS\system32\svchost.exe [1528]
C:\WINDOWS\system32\svchost.exe [1700]
C:\WINDOWS\system32\svchost.exe [1804]
C:\WINDOWS\system32\spoolsv.exe [324]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [448]
C:\Program Files\Bonjour\mDNSResponder.exe [472]
C:\Program Files\NavNT\defwatch.exe [488]
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [612]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe [872]
C:\WINDOWS\system32\lxdicoms.exe [1008]
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [1404]
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [1568]
C:\Program Files\SbPFLnch.exe [1932]
C:\Program Files\SafeConnect\scManager.sys [1960]
C:\Program Files\SbPFSvc.exe [2040]
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe [600]
C:\Program Files\Dell Support Center\bin\sprtsvc.exe [844]
C:\WINDOWS\system32\svchost.exe [944]
C:\Program Files\SbPFCl.exe [2060]
C:\WINDOWS\system32\CF17519.exe [2708]
C:\WINDOWS\system32\wscntfy.exe [3936]
C:\WINDOWS\system32\wbem\wmiprvse.exe [4052]
C:\WINDOWS\System32\alg.exe [1076]
C:\Program Files\NavNT\vptray.exe [2308]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3200]
C:\WINDOWS\stsystra.exe [3228]
C:\WINDOWS\system32\igfxpers.exe [3464]
C:\WINDOWS\system32\igfxsrvc.exe [3508]
C:\WINDOWS\system32\hkcmd.exe [3592]
C:\WINDOWS\system32\WLTRAY.exe [596]
C:\WINDOWS\system32\dla\tfswctrl.exe [424]
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe [2192]
C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2484]
C:\Program Files\Network Associates\Common Framework\McTray.exe [2536]
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe [2732]
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe [2928]
C:\WINDOWS\system32\cmd.exe [2808]
C:\Windows\system32\YUR11.exe [2136]
C:\Program Files\Messenger\msmsgs.exe [2344]
C:\Program Files\Digital Line Detect\DLG.exe [2856]
C:\Program Files\SafeConnect\scClient.exe [3248]
E:\Programs\V CAST Music Manager\MEMonitor.exe [3628]
C:\SDFix\apps\Cghtme.exe [3532]
C:\WINDOWS\explorer.exe [2692]
C:\WINDOWS\system32\imapi.exe [3676]
C:\ComboFix\catchme.cfexe [1616]
.
**************************************************************************
.
Completion time: 2008-09-26 11:38:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-26 15:36:55
ComboFix2.txt 2008-08-24 07:43:13
ComboFix3.txt 2008-02-19 00:43:58

Pre-Run: 22,530,408,448 bytes free
Post-Run: 22,512,586,752 bytes free

347 --- E O F --- 2008-09-10 07:06:54


SDFIX


Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 11:33:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
C:\ComboFix\grep.cfexe [2300] 0xFE171710

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="E:\Programs\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:86,04,a9,7d,62,fd,c4,7b,fb,46,08,89,1f,9a,04,b4,36,84,28,35,38,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,39,2d,42,19,57,ef,69,26,11,89,a0,5b,c7,a0,b4,a9,0f,..
"khjeh"=hex:4b,b1,06,bb,c4,8a,5d,0b,0d,a7,73,99,0f,39,d4,ed,b0,91,b5,f9,c9,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:21,a0,84,75,ed,0c,fc,af,26,2b,06,0a,8d,a2,4a,39,c9,70,4a,18,bb,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="E:\Programs\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:86,04,a9,7d,62,fd,c4,7b,fb,46,08,89,1f,9a,04,b4,36,84,28,35,38,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,39,2d,42,19,57,ef,69,26,11,89,a0,5b,c7,a0,b4,a9,0f,..
"khjeh"=hex:4b,b1,06,bb,c4,8a,5d,0b,0d,a7,73,99,0f,39,d4,ed,b0,91,b5,f9,c9,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:21,a0,84,75,ed,0c,fc,af,26,2b,06,0a,8d,a2,4a,39,c9,70,4a,18,bb,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="E:\Programs\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:86,04,a9,7d,62,fd,c4,7b,fb,46,08,89,1f,9a,04,b4,36,84,28,35,38,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,39,2d,42,19,57,ef,69,26,11,89,a0,5b,c7,a0,b4,a9,0f,..
"khjeh"=hex:4b,b1,06,bb,c4,8a,5d,0b,0d,a7,73,99,0f,39,d4,ed,b0,91,b5,f9,c9,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:21,a0,84,75,ed,0c,fc,af,26,2b,06,0a,8d,a2,4a,39,c9,70,4a,18,bb,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000002c0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"="C:\WINDOWS\system32\telelepu.dll"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6273E193-D029-A27B-0287-31BA1142872B}]
"oafankhlgjgakegdlbjbhfdaiogang"=hex:64,61,6b,67,61,6b,6e,6c,00,e0
"oajfmhnekljkpmojpleijflchoiped"=hex:69,61,6a,67,70,6b,62,6d,6d,70,65,63,6e,70,61,6f,6e,6d,00,00
"nahgoheiookpdlcehndogpibdbdc"=hex:69,61,6a,67,70,6b,62,6d,6d,70,65,63,6e,70,61,6f,6e,6d,00,00

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\uTorrent.exe"="C:\\Program Files\\uTorrent.exe:*:Enabled:uTorrent"
"E:\\Programs\\iTunes.exe"="E:\\Programs\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"c:\\program files\\bcd_installed.exe"="c:\\program files\\bcd_installed.exe:*:Enabled:Windows Application Service"
"C:\\WINDOWS\\system32\\lxdicoms.exe"="C:\\WINDOWS\\system32\\lxdicoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe:*:Enabled:Device Monitor"
"C:\\WINDOWS\\system32\\lxdicfg.exe"="C:\\WINDOWS\\system32\\lxdicfg.exe:*:Enabled:Printer Communication System"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe:*:Enabled:Printer Status Window Interface"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe:*:Enabled:Lexmark Connect Time Executable"
"C:\\WINDOWS\\system32\\lxdiih.exe"="C:\\WINDOWS\\system32\\lxdiih.exe:*:Enabled:Printer Communication System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Lexmark 3500-4500 Series\\app4r.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"

Remaining Files :



Files with Hidden Attributes :

Fri 19 Sep 2008 19,968 ..SHR --- "C:\resycled\boot.com"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 24 Sep 2008 53,248 A.SH. --- "C:\WINDOWS\system32\nnnmlMeE.dll"
Mon 13 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 10 Mar 2008 76,800 ...H. --- "C:\Documents and Settings\NICHOLAS MENDILLO\My Documents\~WRL0004.tmp"
Mon 10 Mar 2008 64,512 ...H. --- "C:\Documents and Settings\NICHOLAS MENDILLO\My Documents\~WRL1153.tmp"
Fri 23 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 24 Jun 2008 64,512 A.SH. --- "C:\_OTMoveIt\MovedFiles\09262008_010750\WINDOWS\system32\petolahu.dll"
Tue 24 Jun 2008 64,512 A.SH. --- "C:\_OTMoveIt\MovedFiles\09262008_010750\WINDOWS\system32\telelepu.dll"
Thu 9 Mar 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 3 Sep 2007 8 A..H. --- "C:\Documents and Settings\NICHOLAS MENDILLO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:18, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SbPFLnch.exe
C:\Program Files\SafeConnect\scManager.sys
C:\Program Files\SbPFSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SbPFCl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\WINDOWS\system32\cmd.exe
C:\Windows\system32\YUR11.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SafeConnect\scClient.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
C:\SDFix\dnif.exe
E:\Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {E80593FD-9D97-4D1F-A1A7-51DFFE42CF1A} - C:\WINDOWS\system32\byXPHxYQ.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [\YUR11.exe] C:\Windows\system32\YUR11.exe
O4 - HKLM\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [\YUR11.exe] C:\Windows\system32\YUR11.exe
O4 - HKCU\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
O4 - HKUS\S-1-5-19\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: MEMonitor.lnk = E:\Programs\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.ai...AIM.9.5.1.8.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\telelepu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\SbPFLnch.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - C:\Program Files\SafeConnect\scManager.sys servicestart (file missing)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 9844 bytes


Let's defeat this demon once and for all
-nick

[Rorschach112]

Do this in normal mode

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Someone-Inside-Computer-t212811.html#entry1340841

Collect::
C:\x
C:\WINDOWS\system32\YURD.exe
C:\WINDOWS\system32\YUR11.exe
C:\WINDOWS\system32\xgyinccj.dll
C:\WINDOWS\system32\YUR13.exe
C:\WINDOWS\system32\YUR12.exe
C:\WINDOWS\system32\lwughfvg.dll
C:\WINDOWS\system32\leyxxn.dll
C:\WINDOWS\system32\frkosybh.dll
C:\WINDOWS\system32\QYxHPXyb.ini2
C:\WINDOWS\system32\byXPHxYQ.dll
C:\WINDOWS\system32\nnnmlMeE.dll
C:\WINDOWS\system32\YUR77.exe
C:\WINDOWS\system32\YUR76.exe
C:\WINDOWS\system32\YUR7A.exe
C:\WINDOWS\system32\YUR78.exe
C:\resycled
C:\WINDOWS\system32\telelepu.dll

Suspect::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Rootkit::
C:\WINDOWS\system32\nnnmlMeE.dll

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

Also post a new HJT log