Internet running slow, unwanted pop-ups and receiving lots of viruses

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Internet running slow, unwanted pop-ups and receiving lots of viruses

#1 PhilCheSteak

Group: Member
Posts: 8
Joined: 18-April 09

Posted 18 April 2009 - 04:01 PM

Hey guys,

Ever since visiting myspace.com and logging in (I haven't been on the site in months) I've been receiving lots of viruses and adware (Downloaders, Trojan.Malscript, Trojan.fakeavalert, Trojan.Vundo). For the most part my main problem is that my internet is running slower and I keep getting pop-ups from sites that never gave me pop-ups before. In the past I know that I've been infected with Trojan Vundos as well. I have Symantec as my antivirus as well as adaware-se professional and have recently used malwarebytes' anti-malware too. I only use firefox as my browser and have been receiving both popups in firefox and popups in IE. Any help you can give would be greatly appreciated.

-Phil

#2 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 21 April 2009 - 11:57 PM

Hello PhilCheSteak and welcome to Geeks to go.

Sorry about the delay.

Please read this topic, and post your logs back in this topic when you are done.

#3 PhilCheSteak

Group: Member
Posts: 8
Joined: 18-April 09

Posted 22 April 2009 - 02:59 PM

Here is the log from the scan I did:

Malwarebytes' Anti-Malware 1.36
Database version: 2028
Windows 5.1.2600 Service Pack 3

4/22/2009 4:56:08 PM
mbam-log-2009-04-22 (16-56-08).txt

Scan type: Quick Scan
Objects scanned: 74321
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jokelevu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\paduyaku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\heyivuja.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\timinebe.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\himimepe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bonalopi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ac58622-0591-4306-916b-a179a76aabc6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3ac58622-0591-4306-916b-a179a76aabc6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ac58622-0591-4306-916b-a179a76aabc6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eca914ff (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jubuheloko (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmef9a2763 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\himimepe.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bonalopi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\bonalopi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dipusujo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ojusupid.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fatenuva.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avunetaf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\forugaza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\azagurof.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuzikegi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igekizuf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jokelevu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uvelekoj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nebiteda.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adetiben.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\paduyaku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ukayudap.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\samazaho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ohazamas.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wumapomu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\umopamuw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zofuniwe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewinufoz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\timinebe.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\himimepe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\heyivuja.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bonalopi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mewakaye.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zetajare.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

#4 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 22 April 2009 - 11:51 PM

Hello PhilCheSteak,

Could you please download and run OTListIt2 and post the logs from it in your next reply.

#5 PhilCheSteak

Group: Member
Posts: 8
Joined: 18-April 09

Posted 23 April 2009 - 08:50 AM

Alright Jimmy, here are the logs from OTListIt2:

OTListIt logfile created on: 4/23/2009 10:41:36 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Phil\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.48 Mb Total Physical Memory | 276.50 Mb Available Physical Memory | 54.06% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 78.27% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.91 Gb Total Space | 3.70 Gb Free Space | 1.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HELLOTOM
Current User Name: Phil
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2005/06/02 09:21:46 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/06/02 09:21:40 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/06/02 09:21:38 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/06/23 19:27:36 | 00,085,696 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2004/12/14 02:12:02 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
PRC - [2004/03/01 18:13:54 | 00,139,264 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\ForceWare\NVRemote\NvRemote.exe
PRC - [2004/04/26 13:23:38 | 00,229,376 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\NvPvrNetMon.exe
PRC - [2007/07/31 18:44:42 | 00,271,672 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/06/28 04:06:52 | 00,106,496 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2005/06/23 19:27:18 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2004/11/01 19:04:58 | 00,577,644 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\Diskeeper\DkService.exe
PRC - [2004/04/26 13:23:28 | 00,086,016 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\nvpvrmon.exe
PRC - [2008/05/16 14:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/04/19 22:45:34 | 01,073,152 | ---- | M] () -- C:\Program Files\WiFiConnector\NintendoWFCReg.exe
PRC - [2005/06/23 19:27:28 | 01,715,904 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/08/04 20:31:16 | 01,282,048 | ---- | M] (Yahoo, Inc.) -- C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
PRC - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2007/01/31 15:55:42 | 00,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2007/07/31 18:44:34 | 00,501,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/04/23 10:40:26 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/08/12 23:16:12 | 00,069,632 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2007/06/28 04:06:52 | 00,106,496 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/01/31 15:55:42 | 00,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2005/06/02 09:21:40 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2005/06/02 09:21:46 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2005/06/02 09:21:46 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2005/06/23 19:27:18 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2004/11/01 19:04:58 | 00,577,644 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\Diskeeper\DkService.exe -- (Diskeeper [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2007/07/31 18:44:34 | 00,501,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2004/04/26 13:23:28 | 00,086,016 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\nvpvrmon.exe -- (nvpvrmon [Auto | Running])
SRV - [2008/05/16 14:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2005/06/23 19:27:30 | 00,124,608 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2005/04/22 12:03:28 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2005/03/30 21:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
SRV - [2005/06/23 19:27:28 | 01,715,904 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - File not found -- -- (x10nets [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2003/12/10 03:21:16 | 00,004,224 | R--- | M] (ABIT Computer Corp.) -- C:\WINDOWS\System32\Drivers\AC2003.sys -- (AC2003 [On_Demand | Stopped])
DRV - [2004/02/23 23:08:52 | 00,400,384 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Running])
DRV - [2004/05/14 11:24:10 | 00,622,172 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2009/03/06 05:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2009/03/16 04:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090417.007\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/03/16 04:00:00 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090417.007\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2008/05/16 14:01:00 | 06,557,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2005/04/01 17:40:00 | 00,123,614 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\nvcap.sys -- (nvcap [Auto | Running])
DRV - [2004/02/24 17:37:00 | 00,111,689 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVHelper.SYS -- (NVHelper [System | Running])
DRV - [2005/04/01 17:40:00 | 00,021,906 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nvtunep.sys -- (nvTUNEP [Auto | Running])
DRV - [2005/04/01 17:40:00 | 00,025,442 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys -- (nvtvSND [Auto | Running])
DRV - [2005/04/01 17:40:00 | 00,013,696 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\NVxbar.sys -- (NVXBAR [Auto | Running])
DRV - [2004/02/24 17:34:42 | 00,009,856 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2003/03/31 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/03/11 18:28:13 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2006/04/10 01:02:17 | 00,162,816 | ---- | M] (Ralink Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\rt25usbap.sys -- (RT25USBAP [On_Demand | Stopped])
DRV - [2004/08/03 18:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2005/02/04 20:14:30 | 00,324,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2005/02/04 20:14:32 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
DRV - [2005/07/14 20:32:28 | 00,040,576 | ---- | M] () -- C:\WINDOWS\System32\drivers\sdcplh.sys -- (sdcplh [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 14:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
DRV - [2005/03/30 21:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
DRV - [2005/05/13 19:50:10 | 00,123,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2005/04/22 12:03:00 | 00,017,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2005/04/22 12:03:02 | 00,267,192 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2005/08/17 19:39:20 | 00,010,761 | ---- | M] (X10 Wireless Technology, Inc.) -- C:\WINDOWS\System32\Drivers\x10uif.sys -- (X10UIF [On_Demand | Stopped])
DRV - [2005/05/19 16:52:58 | 00,017,792 | ---- | M] (X10 Wireless Technology, Inc.) -- C:\WINDOWS\System32\Drivers\x10ufx2.sys -- (XUIF [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {6e84150a-d526-41f1-a480-a67d3fed910d}:1.4.1
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07076007
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 5
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.9

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/04/22 17:20:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/22 16:37:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/22 16:37:17 | 00,000,000 | ---D | M]

[2008/08/26 22:04:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\mozilla\Extensions
[2008/08/26 22:04:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/22 18:25:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\mozilla\Firefox\Profiles\x2xljk2s.default\extensions
[2009/03/10 11:23:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\mozilla\Firefox\Profiles\x2xljk2s.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
[2009/04/18 23:02:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\mozilla\Firefox\Profiles\x2xljk2s.default\extensions\firefox@tvunetworks.com
[2008/02/28 20:03:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\mozilla\Firefox\Profiles\x2xljk2s.default\extensions\moveplayer@movenetworks.com
[2008/05/29 19:33:47 | 00,001,074 | ---- | M] () -- C:\Documents and Settings\Phil\Application Data\Mozilla\FireFox\Profiles\x2xljk2s.default\searchplugins\wikipedia-en.xml
[2006/03/31 00:32:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/22 16:37:11 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/22 16:37:11 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/22 16:37:11 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/09/29 10:33:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/09/29 10:33:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/09/29 10:33:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/14 16:44:39 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/09/29 10:33:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2006/11/05 14:36:57 | 00,009,216 | -HS- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Thumbs.db
[2008/09/29 10:33:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/09/29 10:33:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (797 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" (Executive Software International, Inc.)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [NvPvrNetMon] "C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\NvPvrNetMon.exe" start (NVIDIA Corporation)
O4 - HKLM..\Run: [NvRemoteManager] C:\Program Files\NVIDIA Corporation\ForceWare\NVRemote\NvRemote.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe ()
O4 - Startup: C:\Documents and Settings\Phil\Start Menu\Programs\Startup\Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe (Yahoo, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: issearch.exe = issearch.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsMenu = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsHistory = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 82 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O22 - SharedTaskScheduler: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - Reg Error: Key error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/12 20:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{8950b66a-f211-11dc-9d11-00508d74754d}\Shell\AutoRun\command - "" = E:\Install FreeAgent Tools.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/04/23 10:40:22 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTListIt2.exe
[2009/04/22 17:22:03 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/04/22 17:19:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/04/22 17:19:10 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/04/22 17:18:59 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/04/22 17:18:22 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/04/22 17:18:22 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/04/22 17:18:22 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/04/22 17:18:22 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/04/22 17:18:22 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/04/22 17:18:22 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/04/22 17:18:22 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/04/22 17:18:21 | 00,000,000 | ---D | C] -- C:\4685a542843d4b98977eb580a2f47f
[2009/04/22 16:41:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/22 16:40:59 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\NTREGOPT.lnk
[2009/04/22 16:40:59 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\ERUNT.lnk
[2009/04/22 16:40:56 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/22 16:24:38 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Phil\Desktop\erunt_setup.exe
[2009/04/22 16:24:04 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Phil\Desktop\SysRestorePoint.exe
[2009/04/21 10:59:06 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/04/18 23:03:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\TVU Networks
[2009/04/18 23:03:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TVU Networks
[2009/04/18 01:01:32 | 00,000,851 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\log1.csv
[2009/04/16 18:57:21 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Phil\Desktop\HJTInstall.exe
[2009/04/16 18:37:24 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/16 18:37:24 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/16 18:37:24 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/16 18:37:23 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/16 18:37:23 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/16 18:37:23 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/16 18:37:22 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/16 18:37:22 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/16 18:37:21 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/16 18:36:59 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/16 18:36:58 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/16 18:36:58 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/15 16:20:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\U3
[2009/04/15 00:33:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Malwarebytes
[2009/04/15 00:33:32 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/15 00:33:31 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/15 00:33:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/15 00:33:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/15 00:33:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/15 00:32:21 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Phil\Desktop\mbam-setup.exe
[2009/04/13 23:39:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Desktop\2009_03_22
[2009/04/13 23:31:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Desktop\New Pictures for Jess
[2009/04/13 23:28:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Desktop\Spring Break 09 Pictures
[2009/03/31 17:40:02 | 00,018,433 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\octillery.gif
[2009/03/31 17:39:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Desktop\Pokemon
[2009/01/21 22:46:57 | 00,089,600 | -HS- | C] () -- C:\WINDOWS\System32\jadimupe.dll
[2009/01/21 10:46:30 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\savidise.dll
[2009/01/20 22:46:15 | 00,089,600 | -HS- | C] () -- C:\WINDOWS\System32\pejanuru.dll
[2009/01/20 10:45:51 | 00,089,600 | -HS- | C] () -- C:\WINDOWS\System32\jogekuke.dll
[2009/01/19 22:45:33 | 00,089,600 | -HS- | C] () -- C:\WINDOWS\System32\rowewaya.dll
[2009/01/19 10:45:24 | 00,089,600 | -HS- | C] () -- C:\WINDOWS\System32\dofozeha.dll
[2009/01/18 22:45:00 | 00,089,600 | -HS- | C] () -- C:\WINDOWS\System32\feretizi.dll
[2009/01/18 10:44:49 | 00,089,600 | -HS- | C] () -- C:\WINDOWS\System32\zaworido.dll
[2007/06/07 11:48:25 | 00,002,442 | ---- | C] () -- C:\WINDOWS\disney.ini
[2005/12/05 17:59:46 | 00,040,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\sdcplh.sys
[2005/10/06 17:05:38 | 00,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2005/08/15 23:00:31 | 00,123,614 | ---- | C] () -- C:\WINDOWS\System32\drivers\NVCAP.SYS
[2005/08/14 22:49:48 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/13 01:06:51 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2005/08/13 01:05:16 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2005/08/13 01:05:16 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2005/08/13 01:05:16 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2005/08/12 23:52:56 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/08/12 22:48:57 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2005/08/12 22:48:52 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/08/12 21:31:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2005/08/09 18:13:31 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/08/09 18:13:31 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/08/09 18:12:28 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/07/20 21:07:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/07/20 21:07:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/07/20 21:07:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/07/20 21:07:00 | 00,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/07/20 21:07:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/07/20 21:07:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/12/20 11:08:28 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 11:03:26 | 00,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2003/12/09 13:16:52 | 00,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\comintfs.dll
[2003/03/31 07:00:00 | 00,000,589 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/03/31 07:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/10/06 14:42:57 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/04 19:04:25 | 00,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002/10/04 19:04:24 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/04 19:04:17 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

========== Files - Modified Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/04/23 10:40:26 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTListIt2.exe
[2009/04/22 18:24:10 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/22 18:23:29 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/22 18:23:19 | 00,178,158 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/04/22 18:23:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/22 18:22:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/22 18:22:34 | 00,141,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/22 18:22:32 | 53,639,9872 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/22 17:24:25 | 00,501,230 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/22 17:24:25 | 00,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/22 17:24:25 | 00,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/22 17:02:05 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\wumiseru
[2009/04/22 16:40:59 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\NTREGOPT.lnk
[2009/04/22 16:40:59 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\ERUNT.lnk
[2009/04/22 16:24:38 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Phil\Desktop\erunt_setup.exe
[2009/04/22 10:47:19 | 00,046,592 | -HS- | M] () -- C:\WINDOWS\System32\riyutava.exe
[2009/04/21 22:46:59 | 00,047,616 | -HS- | M] () -- C:\WINDOWS\System32\zehasido.exe
[2009/04/21 22:46:58 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\jadimupe.dll
[2009/04/21 10:46:31 | 00,088,576 | -HS- | M] () -- C:\WINDOWS\System32\savidise.dll
[2009/04/21 10:46:30 | 00,046,592 | -HS- | M] () -- C:\WINDOWS\System32\kidirafa.exe
[2009/04/20 22:46:16 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\pejanuru.dll
[2009/04/20 22:46:15 | 00,047,104 | -HS- | M] () -- C:\WINDOWS\System32\pomotuyo.exe
[2009/04/20 10:45:52 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\jogekuke.dll
[2009/04/20 10:45:52 | 00,047,104 | -HS- | M] () -- C:\WINDOWS\System32\vasehoyi.exe
[2009/04/19 22:45:34 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\rowewaya.dll
[2009/04/19 22:45:34 | 00,047,104 | -HS- | M] () -- C:\WINDOWS\System32\pibijego.exe
[2009/04/19 10:45:26 | 00,047,104 | -HS- | M] () -- C:\WINDOWS\System32\zuyuyubu.exe
[2009/04/19 10:45:25 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\dofozeha.dll
[2009/04/18 22:45:02 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\feretizi.dll
[2009/04/18 22:45:00 | 00,047,104 | -HS- | M] () -- C:\WINDOWS\System32\kipusama.exe
[2009/04/18 13:55:45 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/04/18 10:44:51 | 00,047,104 | -HS- | M] () -- C:\WINDOWS\System32\pufegogu.exe
[2009/04/18 10:44:50 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\zaworido.dll
[2009/04/18 01:02:53 | 00,000,851 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\log1.csv
[2009/04/17 22:44:53 | 00,107,520 | -HS- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\System32\hesuwopa.dll
[2009/04/17 03:05:58 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/16 19:09:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/16 18:57:24 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Phil\Desktop\HJTInstall.exe
[2009/04/15 00:33:32 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/15 00:32:29 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Phil\Desktop\mbam-setup.exe
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/31 17:40:04 | 00,018,433 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\octillery.gif
[2009/03/27 02:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
< End of report >

And the extras.txt file:

OTListIt Extras logfile created on: 4/23/2009 10:41:36 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Phil\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.48 Mb Total Physical Memory | 276.50 Mb Available Physical Memory | 54.06% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 78.27% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.91 Gb Total Space | 3.70 Gb Free Space | 1.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HELLOTOM
Current User Name: Phil
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"DisableNotifications" = 1
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2005/08/05 15:08:26 | 00,067,160 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
[1997/10/31 08:57:46 | 02,322,944 | ---- | M] (Sony Computer Entertainment America Inc.) -- C:\Program Files\Sony Interactive\Twisted Metal 2\TM2.EXE:*:Enabled:Twisted Metal 2
[2005/04/17 18:08:11 | 03,112,960 | ---- | M] () -- C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek
[2004/04/04 14:52:30 | 00,036,864 | ---- | M] () -- C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui
File not found -- C:\Documents and Settings\Phil\Desktop\utorrent.exe:*:Enabled:µTorrent
[2009/02/13 17:34:01 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\utorrent\utorrent.exe:*:Enabled:µTorrent
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2006/11/03 03:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2006/04/19 22:45:34 | 01,073,152 | ---- | M] () -- C:\Program Files\WiFiConnector\NintendoWFCReg.exe:*:Enabled:Nintendo Wi-Fi USB Connector
[2007/07/31 18:44:34 | 15,333,688 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/10/31 15:22:38 | 00,050,480 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM
[2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe:*:Enabled:Explorer
[2009/02/28 00:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:IEXPLORE

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{15460260-0A67-4670-A155-08BEFFA70BFC}" = NVIDIA ForceWare Remote Control
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{2A1A690D-7030-4B92-A93B-B80378F1F580}" = Diskeeper Professional Edition
"{3248E093-5288-4CA9-B3AB-11A675FEA1F9}" = Symantec AntiVirus
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{51E62847-7231-4882-9F63-DE03E033BD5A}" = GUIDE PLUS+™ for Windows® System - NVIDIA
"{5FA4690C-1975-4F94-9A64-274F29BD9221}" = Microsoft Baseline Security Analyzer 1.2
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{64147053-1CC9-4767-A5E6-11BFB408B539}" = NVIDIA ForceWare Multimedia
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}" = Ulead VideoStudio 7 SE DVD
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{82840C91-CBFD-4315-B5F6-A8E5E90A77FD}" = .NET Framework Machine Code Access Security Policy
"{88F93347-0F9B-4FED-BA71-6C2A4CDFE61D}" = Ulead DVD MovieFactory 2.5 SE
"{8A8F4EF8-160C-4E0F-B32D-92E2313E039B}" = Microsoft Baseline Security Analyzer 2.0
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{967D588C-9B96-40C9-A222-DCD6922563CA}" = Apple Mobile Device Support
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{B023185F-F1EF-4F97-B0BD-AE6D802226D1}" = NVIDIA WDM Drivers
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB06A0B3-9016-4926-9C92-97ECB2722D8F}" = Konfabulator
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E0219810-16E4-437D-9165-93D7B22524F9}" = iTunes
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"AC3Filter" = AC3Filter (remove only)
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Spyware Remover Free Edition_is1" = Advanced Spyware Remover Free Edition
"AIM_6" = AIM 6
"AOL Instant Messenger" = AOL Instant Messenger
"BitTornado" = BitTornado 0.3.7
"BitTorrent" = BitTorrent 3.4.2
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CSCLIB" = Canon Camera Support Core Library
"Diablo II" = Diablo II
"EOS Utility" = Canon Utilities EOS Utility
"ERUNT_is1" = ERUNT 1.1j
"Family Feud Hollywood Edition" = Family Feud Hollywood Edition (remove only)
"ffdshow" = ffdshow (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{15460260-0A67-4670-A155-08BEFFA70BFC}" = NVIDIA ForceWare Remote Control
"LastFM_is1" = Last.fm 1.5.4.24567
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.9)" = Mozilla Firefox (3.0.9)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"Nero - Burning Rom!UninstallKey" = Ahead Nero Burning ROM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OggDS" = Direct Show Ogg Vorbis Filter (remove only)
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SafetyBar" = Safety Bar
"Soulseek" = SoulSeek Client 156c
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SpywareBlaster_is1" = SpywareBlaster v3.5.1
"Tweak UI 2.10" = Tweak UI
"Twisted Metal 2" = Twisted Metal 2
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VideoLAN VLC media player 0.8.2
"Who Wants To Be A Millionaire 3rd Edition" = Who Wants To Be A Millionaire 3rd Edition
"Who Wants To Be A Millionaire Kids Edition" = Who Wants To Be A Millionaire Kids Edition
"WiFiConnector" = Nintendo Wi-Fi USB Connector Registration Tool
"Winamp" = Winamp (remove only)
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD_is1" = XviD MPEG-4 Video Codec
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/20/2009 12:15:46 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Downloader in File: C:\DOCUME~1\Phil\LOCALS~1\TEMPOR~1\Content.IE5\J421MFG1\5_1_~1.HTM
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was deleted successfully.

Error - 4/20/2009 12:15:46 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\Documents and Settings\Phil\Local
Settings\Temporary Internet Files\Content.IE5\J421MFG1\5[1].htm by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied.
Action Description: The file was deleted successfully.

Error - 4/20/2009 12:15:47 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Downloader in File: C:\DOCUME~1\Phil\LOCALS~1\TEMPOR~1\Content.IE5\J421MFG1\5_1_~1.HTM
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded
: Access denied. Action Description: The file was deleted successfully.

Error - 4/21/2009 10:46:25 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Downloader in File: C:\Documents and Settings\Phil\Local
Settings\Temporary Internet Files\Content.IE5\AAYHQHIB\5[1].htm by: Auto-Protect
scan. Action: Clean failed : Quarantine failed. Action Description: The file
was left unchanged.

Error - 4/21/2009 10:46:27 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Downloader in File: C:\Documents and Settings\Phil\Local
Settings\Temporary Internet Files\Content.IE5\AAYHQHIB\5[1].htm by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
Quarantine was partially successful.

Error - 4/21/2009 10:46:43 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Downloader in File: C:\Documents and Settings\Phil\Local
Settings\Temporary Internet Files\Content.IE5\AAYHQHIB\5[1].htm by: Auto-Protect
scan. Action: Clean failed : Quarantine failed. Action Description: The file
was left unchanged.

Error - 4/21/2009 10:46:43 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Downloader in File: C:\Documents and Settings\Phil\Local
Settings\Temporary Internet Files\Content.IE5\AAYHQHIB\5[1].htm by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
Quarantine was partially successful.

Error - 4/21/2009 10:47:00 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Downloader in File: C:\DOCUME~1\Phil\LOCALS~1\TEMPOR~1\Content.IE5\AAYHQHIB\5_1_~1.HTM
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was deleted successfully.

Error - 4/21/2009 10:47:00 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\Documents and Settings\Phil\Local
Settings\Temporary Internet Files\Content.IE5\AAYHQHIB\5[1].htm by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied.
Action Description: The file was deleted successfully.

Error - 4/21/2009 10:47:01 AM | Computer Name = HELLOTOM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Downloader in File: C:\DOCUME~1\Phil\LOCALS~1\TEMPOR~1\Content.IE5\AAYHQHIB\5_1_~1.HTM
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded
: Access denied. Action Description: The file was deleted successfully.

[ System Events ]
Error - 4/13/2009 11:14:55 PM | Computer Name = HELLOTOM | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 4/13/2009 11:19:00 PM | Computer Name = HELLOTOM | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 4/13/2009 11:19:00 PM | Computer Name = HELLOTOM | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 4/13/2009 11:19:00 PM | Computer Name = HELLOTOM | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Canon\ZoomBrowser
EX\Program\MFC80U.DLL. Reference error message: The operation completed successfully.
.

Error - 4/15/2009 12:58:34 AM | Computer Name = HELLOTOM | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 4/15/2009 12:59:42 AM | Computer Name = HELLOTOM | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 4/17/2009 3:04:45 AM | Computer Name = HELLOTOM | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80246007: Windows Malicious Software Removal Tool - April 2009 (KB890830).

Error - 4/22/2009 5:03:38 PM | Computer Name = HELLOTOM | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 4/22/2009 5:04:43 PM | Computer Name = HELLOTOM | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 4/22/2009 5:05:06 PM | Computer Name = HELLOTOM | Source = SAVRT | ID = 458772
Description = Unable to initialize the virus scanning engine database files.

< End of report >

#6 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 23 April 2009 - 02:10 PM

Hello PhilCheSteak,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#7 PhilCheSteak

Group: Member
Posts: 8
Joined: 18-April 09

Posted 23 April 2009 - 02:48 PM

Here is the Combofix log:

ComboFix 09-04-23.A3 - Phil 04/23/2009 16:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.234 [GMT -4:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\{3CA91~1
c:\windows\system32\components
c:\windows\system32\dofozeha.dll
c:\windows\system32\feretizi.dll
c:\windows\system32\jadimupe.dll
c:\windows\system32\jogekuke.dll
c:\windows\system32\pejanuru.dll
c:\windows\system32\rowewaya.dll
c:\windows\system32\savidise.dll
c:\windows\system32\zaworido.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-23 20:31 . 2009-04-23 20:31 -------- d-----w c:\windows\LastGood
2009-04-23 17:47 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-22 21:19 . 2009-04-22 21:19 -------- d-----w c:\windows\system32\XPSViewer
2009-04-22 21:18 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-22 21:18 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-22 21:18 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-22 21:18 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-22 21:18 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-22 21:18 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-22 21:18 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-22 21:18 . 2009-04-22 21:18 -------- d-----w C:\4685a542843d4b98977eb580a2f47f
2009-04-21 14:59 . 2009-04-21 14:59 -------- d-----w C:\VundoFix Backups
2009-04-19 03:03 . 2009-04-19 03:03 -------- d-----w c:\documents and settings\Phil\LocalLow
2009-04-19 03:03 . 2009-04-19 03:03 -------- d-----w c:\documents and settings\Phil\Local Settings\Application Data\TVU Networks
2009-04-19 03:03 . 2009-04-19 03:03 -------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2009-04-16 22:37 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 22:37 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 22:37 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 22:37 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 22:37 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 22:37 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 22:37 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 22:37 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 22:37 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 22:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 22:36 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 22:36 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 20:20 . 2009-04-16 22:59 -------- d-----w c:\documents and settings\Phil\Application Data\U3
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\documents and settings\Phil\Application Data\Malwarebytes
2009-04-15 04:33 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-15 04:33 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 20:34 . 2005-08-13 01:15 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-22 21:19 . 2009-04-22 21:19 -------- d-----w c:\program files\MSBuild
2009-04-22 21:18 . 2009-04-22 21:18 -------- d-----w c:\program files\Reference Assemblies
2009-04-22 20:41 . 2009-04-22 20:40 -------- d-----w c:\program files\ERUNT
2009-04-22 14:47 . 2009-01-22 14:47 46592 --sha-w c:\windows\system32\riyutava.exe
2009-04-22 02:46 . 2009-01-22 02:46 47616 --sha-w c:\windows\system32\zehasido.exe
2009-04-21 15:30 . 2009-04-21 14:59 137 ----a-w C:\VundoFix.txt
2009-04-21 14:46 . 2009-01-21 14:46 46592 --sha-w c:\windows\system32\kidirafa.exe
2009-04-21 02:46 . 2009-01-21 02:46 47104 --sha-w c:\windows\system32\pomotuyo.exe
2009-04-20 14:45 . 2009-01-20 14:45 47104 --sha-w c:\windows\system32\vasehoyi.exe
2009-04-20 02:45 . 2009-01-20 02:45 47104 --sha-w c:\windows\system32\pibijego.exe
2009-04-19 14:45 . 2009-01-19 14:45 47104 --sha-w c:\windows\system32\zuyuyubu.exe
2009-04-19 02:45 . 2009-01-19 02:44 47104 --sha-w c:\windows\system32\kipusama.exe
2009-04-18 14:44 . 2009-01-18 14:44 47104 --sha-w c:\windows\system32\pufegogu.exe
2009-04-18 02:44 . 2009-01-18 02:44 107520 --sha-w c:\windows\system32\hesuwopa.dll
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 03:12 . 2006-05-24 22:03 -------- d-----w c:\documents and settings\Phil\Application Data\uTorrent
2009-04-14 03:39 . 2009-03-03 00:58 -------- d-----w c:\documents and settings\Phil\Application Data\ZoomBrowser EX
2009-04-14 03:27 . 2009-03-03 00:56 -------- d-----w c:\documents and settings\Phil\Application Data\CameraWindowDC
2009-03-30 21:18 . 2007-01-18 03:29 -------- d-----w c:\program files\Last.fm
2009-03-11 13:57 . 2009-03-11 13:57 -------- d-----w c:\documents and settings\Phil\Application Data\dvdcss
2009-03-06 14:22 . 2004-08-04 04:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:56 . 2009-03-03 00:56 -------- d-----w c:\documents and settings\Phil\Application Data\CANON INC
2009-03-03 00:18 . 2004-08-04 04:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 23:17 . 2009-03-02 23:16 -------- d-----w c:\program files\Canon
2009-03-02 23:16 . 2009-03-02 23:16 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-03-02 23:14 . 2009-03-02 23:14 -------- d-----w c:\program files\Common Files\Canon
2009-02-20 18:09 . 2004-08-04 04:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 04:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 04:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-04 04:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 04:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-04 03:17 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 04:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 03:20 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 04:56 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-18 04:49 . 2005-08-13 00:51 31176 ----a-w c:\documents and settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-08-21 20:08 . 2005-08-21 20:08 127 ----a-w c:\documents and settings\Phil\Local Settings\Application Data\fusioncache.dat
2009-01-18 02:44 . 2009-01-18 02:44 69120 --sha-w c:\windows\system32\bujusufe.dll.tmp
2009-01-18 02:44 . 2009-01-18 02:44 69120 --sha-w c:\windows\system32\devinoga.dll.tmp
2009-01-18 02:44 . 2009-01-18 02:44 69120 --sha-w c:\windows\system32\pufidihu.dll.tmp
2008-09-05 15:57 . 2008-09-05 15:57 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NvRemoteManager"="c:\program files\NVIDIA Corporation\ForceWare\NVRemote\NvRemote.exe" [2004-03-01 139264]
"NvPvrNetMon"="c:\program files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\NvPvrNetMon.exe" [2004-04-26 229376]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2004-05-03 155648]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-11-01 176216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-31 271672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\Phil\Start Menu\Programs\Startup\
Konfabulator.lnk - c:\program files\Pixoria\Konfabulator\Konfabulator.exe [2005-8-4 1282048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-7-18 1073152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= ,

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Sony Interactive\\Twisted Metal 2\\TM2.EXE"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R3 AC2003;AC2003;c:\windows\system32\Drivers\AC2003.sys [2003-12-10 4224]
R3 e4e42c46-264e-40d8-8b8a-e9edc856f071;e4e42c46-264e-40d8-8b8a-e9edc856f071; [x]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-23 124608]
S1 NVHelper;NVHelper;c:\windows\system32\drivers\NVHelper.SYS [2004-02-24 111689]
S2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\DRIVERS\nvtunep.sys [2005-04-01 21906]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys [2005-04-01 25442]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8950b66a-f211-11dc-9d11-00508d74754d}]
\Shell\AutoRun\command - "E:\Install FreeAgent Tools.exe" /run
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\x2xljk2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\x2xljk2s.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\x2xljk2s.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-23 16:45
ComboFix-quarantined-files.txt 2009-04-23 20:44

Pre-Run: 3,822,698,496 bytes free
Post-Run: 4,144,697,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

216 --- E O F --- 2009-04-23 20:33

#8 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 23 April 2009 - 08:19 PM

Hello PhilCheSteak,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\windows\system32\riyutava.exe
c:\windows\system32\zehasido.exe
c:\windows\system32\kidirafa.exe
c:\windows\system32\pomotuyo.exe
c:\windows\system32\vasehoyi.exe
c:\windows\system32\pibijego.exe
c:\windows\system32\zuyuyubu.exe
c:\windows\system32\kipusama.exe
c:\windows\system32\pufegogu.exe
c:\windows\system32\hesuwopa.dll
c:\windows\system32\bujusufe.dll.tmp
c:\windows\system32\devinoga.dll.tmp
c:\windows\system32\pufidihu.dll.tmp

Driver::
e4e42c46-264e-40d8-8b8a-e9edc856f071

SysRst::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the following report into your next reply:

Combofix.txt .

#9 PhilCheSteak

Group: Member
Posts: 8
Joined: 18-April 09

Posted 23 April 2009 - 11:36 PM

Here is the next log:

ComboFix 09-04-24.01 - Phil 04/24/2009 1:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.195 [GMT -4:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phil\Desktop\CFScript.txt.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\bujusufe.dll.tmp
c:\windows\system32\devinoga.dll.tmp
c:\windows\system32\hesuwopa.dll
c:\windows\system32\kidirafa.exe
c:\windows\system32\kipusama.exe
c:\windows\system32\pibijego.exe
c:\windows\system32\pomotuyo.exe
c:\windows\system32\pufegogu.exe
c:\windows\system32\pufidihu.dll.tmp
c:\windows\system32\riyutava.exe
c:\windows\system32\vasehoyi.exe
c:\windows\system32\zehasido.exe
c:\windows\system32\zuyuyubu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bujusufe.dll.tmp
c:\windows\system32\devinoga.dll.tmp
c:\windows\system32\hesuwopa.dll
c:\windows\system32\kidirafa.exe
c:\windows\system32\kipusama.exe
c:\windows\system32\pibijego.exe
c:\windows\system32\pomotuyo.exe
c:\windows\system32\pufegogu.exe
c:\windows\system32\pufidihu.dll.tmp
c:\windows\system32\riyutava.exe
c:\windows\system32\vasehoyi.exe
c:\windows\system32\zehasido.exe
c:\windows\system32\zuyuyubu.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_e4e42c46-264e-40d8-8b8a-e9edc856f071

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-23 17:47 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-22 21:19 . 2009-04-22 21:19 -------- d-----w c:\windows\system32\XPSViewer
2009-04-22 21:18 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-22 21:18 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-22 21:18 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-22 21:18 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-22 21:18 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-22 21:18 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-22 21:18 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-22 21:18 . 2009-04-22 21:18 -------- d-----w C:\4685a542843d4b98977eb580a2f47f
2009-04-21 14:59 . 2009-04-21 14:59 -------- d-----w C:\VundoFix Backups
2009-04-19 03:03 . 2009-04-19 03:03 -------- d-----w c:\documents and settings\Phil\LocalLow
2009-04-19 03:03 . 2009-04-19 03:03 -------- d-----w c:\documents and settings\Phil\Local Settings\Application Data\TVU Networks
2009-04-19 03:03 . 2009-04-19 03:03 -------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2009-04-16 22:37 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 22:37 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 22:37 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 22:37 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 22:37 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 22:37 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 22:37 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 22:37 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 22:37 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 22:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 22:36 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 22:36 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 20:20 . 2009-04-16 22:59 -------- d-----w c:\documents and settings\Phil\Application Data\U3
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\documents and settings\Phil\Application Data\Malwarebytes
2009-04-15 04:33 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-15 04:33 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 05:23 . 2005-08-13 01:15 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-22 21:19 . 2009-04-22 21:19 -------- d-----w c:\program files\MSBuild
2009-04-22 21:18 . 2009-04-22 21:18 -------- d-----w c:\program files\Reference Assemblies
2009-04-22 20:41 . 2009-04-22 20:40 -------- d-----w c:\program files\ERUNT
2009-04-21 15:30 . 2009-04-21 14:59 137 ----a-w C:\VundoFix.txt
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 03:12 . 2006-05-24 22:03 -------- d-----w c:\documents and settings\Phil\Application Data\uTorrent
2009-04-14 03:39 . 2009-03-03 00:58 -------- d-----w c:\documents and settings\Phil\Application Data\ZoomBrowser EX
2009-04-14 03:27 . 2009-03-03 00:56 -------- d-----w c:\documents and settings\Phil\Application Data\CameraWindowDC
2009-03-30 21:18 . 2007-01-18 03:29 -------- d-----w c:\program files\Last.fm
2009-03-11 13:57 . 2009-03-11 13:57 -------- d-----w c:\documents and settings\Phil\Application Data\dvdcss
2009-03-06 14:22 . 2004-08-04 04:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:56 . 2009-03-03 00:56 -------- d-----w c:\documents and settings\Phil\Application Data\CANON INC
2009-03-03 00:18 . 2004-08-04 04:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 23:17 . 2009-03-02 23:16 -------- d-----w c:\program files\Canon
2009-03-02 23:16 . 2009-03-02 23:16 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-03-02 23:14 . 2009-03-02 23:14 -------- d-----w c:\program files\Common Files\Canon
2009-02-20 18:09 . 2004-08-04 04:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 04:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 04:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-04 04:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 04:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-04 03:17 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 04:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 03:20 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 04:56 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-18 04:49 . 2005-08-13 00:51 31176 ----a-w c:\documents and settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-08-21 20:08 . 2005-08-21 20:08 127 ----a-w c:\documents and settings\Phil\Local Settings\Application Data\fusioncache.dat
2008-09-05 15:57 . 2008-09-05 15:57 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_20.43.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-24 05:23 . 2009-04-24 05:23 16384 c:\windows\Temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NvRemoteManager"="c:\program files\NVIDIA Corporation\ForceWare\NVRemote\NvRemote.exe" [2004-03-01 139264]
"NvPvrNetMon"="c:\program files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\NvPvrNetMon.exe" [2004-04-26 229376]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2004-05-03 155648]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-11-01 176216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-31 271672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\Phil\Start Menu\Programs\Startup\
Konfabulator.lnk - c:\program files\Pixoria\Konfabulator\Konfabulator.exe [2005-8-4 1282048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-7-18 1073152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= ,

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Sony Interactive\\Twisted Metal 2\\TM2.EXE"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R3 AC2003;AC2003;c:\windows\system32\Drivers\AC2003.sys [2003-12-10 4224]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-23 124608]
S1 NVHelper;NVHelper;c:\windows\system32\drivers\NVHelper.SYS [2004-02-24 111689]
S2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\DRIVERS\nvtunep.sys [2005-04-01 21906]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys [2005-04-01 25442]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [2009-03-16 101936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8950b66a-f211-11dc-9d11-00508d74754d}]
\Shell\AutoRun\command - "E:\Install FreeAgent Tools.exe" /run
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\x2xljk2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\x2xljk2s.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\x2xljk2s.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 01:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2492)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\NvPvrMon.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-24 1:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 05:32
ComboFix2.txt 2009-04-23 20:45

Pre-Run: 4,135,342,080 bytes free
Post-Run: 4,052,783,104 bytes free

242 --- E O F --- 2009-04-23 20:33

#10 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 24 April 2009 - 11:44 AM

Hello PhilCheSteak,

Please start Malwarebytes' Anti-Malware and update it.
To update please do this, click Update and then click Check for Updates.
It will now install any updates it finds.
Once it is done updating please click Scanner and then click "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

~~~~~~~~~~~~~
In your next reply please have these logs.
The Malwarebytes log
And the Eset log

#11 PhilCheSteak

Group: Member
Posts: 8
Joined: 18-April 09

Posted 28 April 2009 - 09:51 AM

Sorry I was away for so long. Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2053
Windows 5.1.2600 Service Pack 3

4/28/2009 10:43:35 AM
mbam-log-2009-04-28 (10-43-35).txt

Scan type: Quick Scan
Objects scanned: 75225
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And here is the EsetOnlineScanner log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4039 (20090428)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=7756789dcffdbc4ebfa5ad457abc8bda
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-28 03:46:11
# local_time=2009-04-28 11:46:11 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=221080
# found=13
# scan_time=3496
C:\Qoobox\Quarantine\C\WINDOWS\system32\dofozeha.dll.vir Win32/Adware.Virtumonde.NET application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\feretizi.dll.vir Win32/Adware.Virtumonde.NET application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\hesuwopa.dll.vir Win32/Adware.Virtumonde.NET application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\jogekuke.dll.vir Win32/Adware.Virtumonde.NET application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\kipusama.exe.vir Win32/Qhost.NJG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\pejanuru.dll.vir Win32/Adware.Virtumonde.NET application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\pibijego.exe.vir Win32/Qhost.NJG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\pomotuyo.exe.vir Win32/Qhost.NJG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\pufegogu.exe.vir Win32/Qhost.NJG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\rowewaya.dll.vir Win32/Adware.Virtumonde.NET application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\vasehoyi.exe.vir Win32/Qhost.NJG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\zaworido.dll.vir Win32/Adware.Virtumonde.NET application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\zuyuyubu.exe.vir Win32/Qhost.NJG trojan (unable to clean - deleted) 00000000000000000000000000000000

#12 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 28 April 2009 - 02:02 PM

Hello PhilCheSteak,

How is your computer running now?

#13 PhilCheSteak

Group: Member
Posts: 8
Joined: 18-April 09

Posted 28 April 2009 - 03:41 PM

Wonderfully and it's all thanks to you. No more pop ups and it's been running really fast probably the best it's ever run. Thanks a lot Jimmy I owe you one and many thanks to Geeks to Go!

-PhilCheSteak

#14 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 28 April 2009 - 09:18 PM

Hello PhilCheSteak,
Your logs look clean.

Just a few more things to do.

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Please download OTCleanIt and save it to your Desktop.

Double-click OTCleanIt.exe
Click the CleanUp! button to begin removing tools used to clean your computer
If you are prompted to Reboot during the cleanup, please select Yes

Please remove any leftover tools used to clean your computer.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spywareguard: Is realtime protection from spyware.

2. Spywareblaster: Helps protect against any bad ActiveX from installing on your computer.

3. SuperAntiSpyware: Use this program to help remove any spyware that may have gotten on your computer.

4. FireFox: This is a great alternate browser over Internet Explorer. Firefox is much more secure then Internet Explorer and also has a bulilt in pop up blocker.

5. ATF Cleaner: This program cleans out your temporary files. This is a great tool that can help speed your computer up.

6. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

#15 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 04 May 2009 - 11:04 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Internet running slow, unwanted pop-ups and receiving lots of viruses - Geeks to Go Forums