Registry Defender Issues

[Temilfist]

Over the last day or two i have been getting an absurd amount of popups asking me to install Registry Defender. Internet browsing has slowed to a crawl (on a seperate machine now for posting purposes). Redirects are common since my machine has become infected. Specifically: Google searches related to Registry Defender, attempts to log onto Gmail account, attempts to access techsupportforum, and a few others. I scanned my system with Avast 4Home (running as realtime shield, too) and it found one called zilolilo.exe which it promptly quarantined. Since then, Avast has found nothing further, though its still blocking "malicious redirects". A few hours ago i gave Spybot a shot and it found/cleaned a few instances of Fraud.Virus Doctor, virtumonde.prx, and virtumonde.dll, as well as something labeled Firewall Bypass. After Spybot did its cleaning, and i rebooted, i've been getting repeated error msgs: "error loading c:\windows\system32\koyopibi.dll The specified module could not be found." The same also for kehifiya.dll and gemoniwa.dll. I've since dl'd and run the DDS and GMER as asked. Thank you for your patience with me. Seems i posted in haste earlier without first reading the step-by-step.

Running Windows XP Media on a dell xps410 with 4gb ram


DDS (Ver_09-03-16.01) - NTFSx86
Run by Raymond at 18:50:24.28 on Mon 04/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1572 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090427-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Raymond\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=3061113
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {91233b46-fe62-459b-a2a7-7c601a5754b2} - c:\windows\system32\nutowuko.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [8439664a] rundll32.exe "c:\windows\system32\kehifiya.dll",b
mRun: [CPM870a55d6] Rundll32.exe "c:\windows\system32\gemoniwa.dll",a
mRun: [lajopebina] Rundll32.exe "c:\windows\system32\koyopibi.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {8DCCD0A9-D6B8-4E41-B898-C40FE0BBC75E} = 71.250.0.12,71.242.0.12
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
AppInit_DLLs: c:\windows\system32\birevaga.dll c:\windows\system32\ c:\windows\system32\gemoniwa.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gemoniwa.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\gemoniwa.dll
LSA: Notification Packages = scecli c:\windows\system32\birevaga.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-16 138680]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-16 352920]

=============== Created Last 30 ================

2009-04-27 11:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-27 11:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-24 17:04 <DIR> --d----- C:\divx
2009-04-24 07:54 39 a------- c:\windows\webica.ini
2009-04-23 20:46 <DIR> --d----- c:\documents and settings\raymond\Tracing
2009-04-23 20:43 <DIR> --d----- c:\program files\Microsoft
2009-04-23 20:43 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-04-23 20:40 <DIR> --d----- c:\program files\common files\Windows Live
2009-04-22 05:12 <DIR> --d----- c:\docume~1\raymond\applic~1\ICAClient
2009-04-22 05:10 <DIR> --d----- c:\program files\Citrix
2009-04-16 18:14 1,071 a------- c:\windows\AWMODEM.INF
2009-04-15 14:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-04-15 05:51 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 05:51 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 05:51 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 05:51 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 05:51 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 05:51 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 05:51 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 05:51 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 05:51 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 05:51 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 05:49 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 05:49 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 05:49 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-13 16:32 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-12 20:48 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-12 16:50 268,648 a------- c:\windows\system32\mucltui.dll
2009-04-12 16:50 208,744 a------- c:\windows\system32\muweb.dll
2009-04-12 16:50 27,496 a------- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-04-27 18:32 87,608 a------- c:\docume~1\raymond\applic~1\inst.exe
2009-04-27 18:32 47,360 a------- c:\docume~1\raymond\applic~1\pcouffin.sys
2009-04-27 09:11 59,904 a--sh--- c:\windows\system32\nofafuge.exe
2009-04-26 21:11 98,816 -------- c:\windows\system32\jemayaso.dll
2009-04-26 21:11 104,960 a--sh--- c:\windows\system32\vehoyibe.dll
2009-04-26 21:11 60,928 a--sh--- c:\windows\system32\wimaluhu.exe
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-11 00:40 0 -------- c:\docume~1\raymond\applic~1\wklnhst.dat
2009-03-11 00:29 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-10 17:40 104,253 a------- c:\windows\hpoins04.dat
2009-03-10 16:17 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-10 16:17 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 18:50:50.42 ===============

[TheBruce1]

Hello

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

Please DO NOT Attach logs to your posts unless you are advised to do so.

=========

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Place combofix.exe on your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
[*]Double click on combofix.exe & follow the prompts.
[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Click on Yes, to continue scanning for malware.
[*]Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
[*] When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

[Temilfist]

ok, done and done. I should mention that, while i did disable Avast prior to running Combofix, immediately after the reboot it started itself back up. Combofix gave a warning, i disabled Avast again, then continued with Combo's prompts. During this process, those 3 error messages i mentioned earlier sprang up again. Here is the pasted Combofix log ..

ComboFix 09-04-28.02 - Raymond 04/28/2009 19:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1528 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090428-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Raymond\Application Data\inst.exe
c:\windows\system32\_000076_.tmp.dll
c:\windows\system32\_000090_.tmp.dll
c:\windows\system32\_000093_.tmp.dll
c:\windows\system32\_000103_.tmp.dll
c:\windows\system32\_000114_.tmp.dll
c:\windows\system32\_000116_.tmp.dll
c:\windows\system32\_003133_.tmp.dll
c:\windows\system32\_003134_.tmp.dll
c:\windows\system32\_003135_.tmp.dll
c:\windows\system32\_003136_.tmp.dll
c:\windows\system32\_003143_.tmp.dll
c:\windows\system32\_003144_.tmp.dll
c:\windows\system32\_003145_.tmp.dll
c:\windows\system32\_003146_.tmp.dll
c:\windows\system32\_003148_.tmp.dll
c:\windows\system32\_003149_.tmp.dll
c:\windows\system32\_003152_.tmp.dll
c:\windows\system32\_003153_.tmp.dll
c:\windows\system32\_003155_.tmp.dll
c:\windows\system32\_003156_.tmp.dll
c:\windows\system32\_003157_.tmp.dll
c:\windows\system32\_003159_.tmp.dll
c:\windows\system32\_003162_.tmp.dll
c:\windows\system32\_003163_.tmp.dll
c:\windows\system32\_003167_.tmp.dll
c:\windows\system32\_003168_.tmp.dll
c:\windows\system32\_003170_.tmp.dll
c:\windows\system32\_003173_.tmp.dll
c:\windows\system32\_003175_.tmp.dll
c:\windows\system32\_003176_.tmp.dll
c:\windows\system32\_003177_.tmp.dll
c:\windows\system32\_003178_.tmp.dll
c:\windows\system32\_003179_.tmp.dll
c:\windows\system32\_003182_.tmp.dll
c:\windows\system32\_003183_.tmp.dll
c:\windows\system32\_003184_.tmp.dll
c:\windows\system32\_003185_.tmp.dll
c:\windows\system32\_003186_.tmp.dll
c:\windows\system32\_003191_.tmp.dll
c:\windows\system32\_003193_.tmp.dll
c:\windows\system32\_003194_.tmp.dll
c:\windows\system32\jemayaso.dll
c:\windows\system32\vehoyibe.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-27 15:41 . 2009-04-27 15:43 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 15:41 . 2009-04-27 22:24 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 21:04 . 2009-04-27 03:03 -------- d-----w C:\divx
2009-04-24 00:46 . 2009-04-28 00:36 -------- d-----w c:\documents and settings\Raymond\Tracing
2009-04-24 00:43 . 2009-04-24 00:43 -------- d-----w c:\program files\Microsoft
2009-04-24 00:43 . 2009-04-24 00:43 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-24 00:43 . 2009-04-24 00:43 -------- d-----w c:\program files\Windows Live
2009-04-24 00:40 . 2009-04-24 00:40 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-23 08:21 . 2009-04-23 08:21 -------- d-----w c:\program files\7-Zip
2009-04-22 09:12 . 2009-04-22 09:30 -------- d-----w c:\documents and settings\Raymond\Application Data\ICAClient
2009-04-22 09:10 . 2009-04-22 09:10 -------- d-----w c:\program files\Citrix
2009-04-16 13:48 . 2009-04-16 13:48 -------- d-----w c:\program files\Alwil Software
2009-04-15 18:31 . 2009-04-15 18:31 -------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-04-15 09:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:51 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 09:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 09:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:49 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 20:32 . 2009-04-13 20:32 -------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-13 19:56 . 2009-04-13 19:56 -------- d-----w c:\windows\Sun
2009-04-13 09:04 . 2009-04-13 09:06 -------- d-----w c:\documents and settings\Mom\Application Data\Azureus
2009-04-13 00:48 . 2009-04-13 00:48 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-12 20:50 . 2008-10-16 18:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-12 20:50 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-12 01:38 . 2009-04-12 01:38 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-07 17:08 . 2009-04-07 17:08 -------- d-----w c:\documents and settings\Raymond\Application Data\AdobeUM
2009-04-04 10:33 . 2009-04-04 10:33 -------- d-----w c:\documents and settings\Mom\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 22:32 . 2009-03-11 06:04 -------- d-----w c:\program files\zMUD
2009-04-28 10:06 . 2009-03-11 09:56 52 ----a-w c:\windows\popcinfot.dat
2009-04-28 10:06 . 2009-03-11 09:56 196 ---h--w c:\windows\popcreg.dat
2009-04-27 22:35 . 2009-03-14 09:39 -------- d-----w c:\program files\DivX
2009-04-27 22:33 . 2009-03-11 05:17 -------- d-----w c:\program files\Vuze
2009-04-27 22:32 . 2009-03-11 04:29 -------- d-----w c:\program files\VSO
2009-04-27 22:32 . 2009-03-11 04:29 47360 ----a-w c:\documents and settings\Raymond\Application Data\pcouffin.sys
2009-04-27 13:11 . 2009-01-27 13:11 59904 --sha-w c:\windows\system32\nofafuge.exe
2009-04-27 01:11 . 2009-01-27 01:11 60928 --sha-w c:\windows\system32\wimaluhu.exe
2009-04-24 00:44 . 2009-03-11 04:34 74696 ----a-w c:\documents and settings\Raymond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 13:40 . 2006-11-13 16:56 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-13 11:09 . 2009-03-11 10:57 74112 ----a-w c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 09:05 . 2009-03-11 22:23 74112 ----a-w c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 00:53 . 2006-11-13 17:01 -------- d-----w c:\program files\Microsoft Works
2009-03-21 18:54 . 2009-03-11 09:37 -------- d-----w c:\program files\PopCap Games
2009-03-18 17:10 . 2009-03-18 17:10 -------- d-----w c:\program files\Combined Community Codec Pack
2009-03-14 12:10 . 2009-03-14 12:10 -------- d-----w c:\program files\AC3Filter
2009-03-14 10:51 . 2009-03-14 10:51 -------- d-----w c:\program files\MSBuild
2009-03-14 10:51 . 2009-03-14 10:51 -------- d-----w c:\program files\Reference Assemblies
2009-03-11 22:23 . 2009-03-11 22:22 126 ----a-w c:\documents and settings\Mom\Local Settings\Application Data\fusioncache.dat
2009-03-11 10:57 . 2009-03-11 10:57 126 ----a-w c:\documents and settings\Dad\Local Settings\Application Data\fusioncache.dat
2009-03-11 10:04 . 2009-03-11 10:03 -------- d-----w c:\program files\funkitron
2009-03-11 09:41 . 2009-03-11 09:39 -------- d-----w c:\program files\Masque IGT Slots Little Green Men
2009-03-11 09:37 . 2009-03-11 09:37 0 ----a-w c:\windows\popcinfo.dat
2009-03-11 09:27 . 2009-03-10 18:20 130 ----a-w c:\documents and settings\Raymond\Local Settings\Application Data\fusioncache.dat
2009-03-11 06:00 . 2009-03-11 06:00 -------- d-----w c:\program files\CCleaner
2009-03-11 04:40 . 2009-03-11 04:40 0 ------w c:\documents and settings\Raymond\Application Data\wklnhst.dat
2009-03-11 04:29 . 2009-03-11 04:29 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-11 04:24 . 2009-03-11 04:24 -------- d-----w c:\program files\AviSynth 2.5
2009-03-11 04:24 . 2009-03-11 04:24 -------- d-----w c:\program files\Red Kawa
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\iTunes
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\iPod
2009-03-10 22:22 . 2009-03-10 22:21 -------- d-----w c:\program files\Common Files\Apple
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\Bonjour
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\QuickTime
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\Apple Software Update
2009-03-10 21:40 . 2009-03-10 21:25 104253 ----a-w c:\windows\hpoins04.dat
2009-03-10 21:39 . 2009-03-10 21:27 -------- d-----w c:\program files\HP
2009-03-10 21:37 . 2009-03-10 21:37 -------- d-----w c:\program files\Common Files\HP
2009-03-10 21:35 . 2009-03-10 21:35 -------- d-----w c:\program files\Hewlett-Packard
2009-03-10 21:33 . 2009-03-10 21:33 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-10 20:18 . 2009-03-10 20:17 -------- d-----w c:\program files\Microsoft IntelliPoint
2009-03-10 20:17 . 2009-03-10 20:17 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-10 20:17 . 2009-03-10 20:17 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-03-10 20:16 . 2009-03-10 20:16 -------- d-----w c:\program files\Microsoft IntelliType Pro
2009-03-10 19:49 . 2006-11-13 16:59 -------- d-----w c:\program files\Google
2009-03-10 19:45 . 2006-11-13 16:54 -------- d-----w c:\program files\Common Files\Real
2009-03-10 19:44 . 2005-08-17 01:54 -------- d-----w c:\program files\GemMaster
2009-03-10 19:40 . 2006-11-13 16:54 -------- d-----w c:\program files\Common Files\AOL
2009-03-10 19:24 . 2009-03-10 19:24 -------- d-----w c:\program files\MSXML 4.0
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2009-03-10 18:49 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2009-03-10 18:49 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2009-03-10 18:49 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2009-03-10 18:49 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2009-03-10 18:49 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2009-03-10 18:49 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2009-03-10 18:49 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\zMUD\\Zmud.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50123:UDP"= 50123:UDP:Vuze
"50123:TCP"= 50123:TCP:Vuze

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{91233b46-fe62-459b-a2a7-7c601a5754b2} - c:\windows\system32\nutowuko.dll
HKLM-Run-8439664a - c:\windows\system32\kehifiya.dll
HKLM-Run-CPM870a55d6 - c:\windows\system32\gemoniwa.dll
HKLM-Run-lajopebina - c:\windows\system32\koyopibi.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {8DCCD0A9-D6B8-4E41-B898-C40FE0BBC75E} = 71.250.0.12,71.242.0.12
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 19:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-04-28 19:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 23:10

Pre-Run: 108,795,080,704 bytes free
Post-Run: 108,862,115,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

265 --- E O F --- 2009-04-15 12:03

[TheBruce1]

Hello again

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

URL Assistant<---This is a program that redirects mis-typed URLs to a Dell branded Google search page. See Here for more information.
Viewpoint Media Player<---Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Additional Information Here

=======

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/371037-registry-defender-issues.html

Collect::
c:\windows\system32\nofafuge.exe
c:\windows\system32\wimaluhu.exe

Folder::
c:\documents and settings\Mom\Application Data\Azureus
c:\program files\Common Files\Symantec Shared

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

DDS::
uInternet Settings,ProxyOverride = *.local

Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

=======

JAVA OUTDATED


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

========

Download ATF-Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=======

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

This animation will guide you through the process:




To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=========
Logs Required
C:\Combofix.txt
Kaspersky Scan Report

An update on how your system is running.

[Temilfist]

few things to mention here ..
*Combofix informed me there was a newer version available and would i like to download it. I selected NO.

*A browser window didn't open after CF did its thing, but instead informed me that "captured files are being sent for ananlysis". Assuming this amounts to the same thing (?)

*After un-installing the outdated version of Java and rebooting pc, windows did not recognize the recently downloaded Java and wouldn't open it. I navigated back to site, downloaded again. Ran fine second time.

Here are the requested CF and Kaspersky logs, in order:

ComboFix 09-04-28.02 - Raymond 04/29/2009 9:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1553 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Raymond\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1335 [VPS 090428-0] *On-access scanning disabled* (Updated)
* Created a new restore point

file zipped: c:\windows\system32\nofafuge.exe
file zipped: c:\windows\system32\wimaluhu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\Application Data\Azureus
c:\documents and settings\Mom\Application Data\Azureus\.certs
c:\documents and settings\Mom\Application Data\Azureus\.keystore
c:\documents and settings\Mom\Application Data\Azureus\.lock
c:\documents and settings\Mom\Application Data\Azureus\active\cache.dat
c:\documents and settings\Mom\Application Data\Azureus\azureus.config
c:\documents and settings\Mom\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Mom\Application Data\Azureus\azureus.statistics
c:\documents and settings\Mom\Application Data\Azureus\cnetworks.config
c:\documents and settings\Mom\Application Data\Azureus\devices.config
c:\documents and settings\Mom\Application Data\Azureus\devices.config.bak
c:\documents and settings\Mom\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Mom\Application Data\Azureus\downloads.config
c:\documents and settings\Mom\Application Data\Azureus\friends.config
c:\documents and settings\Mom\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Mom\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\Devices_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Mom\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Mom\Application Data\Azureus\metasearch.config
c:\documents and settings\Mom\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Mom\Application Data\Azureus\net\pm_19262.dat
c:\documents and settings\Mom\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Mom\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Mom\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Mom\Application Data\Azureus\timingstats.dat
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62724.tmp
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62725.tmp
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62726.tmp
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62727.tmp
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62728.tmp
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62729.tmp
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62730.tmp
c:\documents and settings\Mom\Application Data\Azureus\tmp\AZU62731.tmp
c:\documents and settings\Mom\Application Data\Azureus\tracker.config
c:\documents and settings\Mom\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Mom\Application Data\Azureus\unsentdata.config
c:\documents and settings\Mom\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Mom\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Mom\Application Data\Azureus\VuzeActivities.config
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\001F0061.TKN
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\windows\system32\nofafuge.exe
c:\windows\system32\wimaluhu.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-27 15:41 . 2009-04-27 15:43 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 15:41 . 2009-04-27 22:24 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 21:04 . 2009-04-27 03:03 -------- d-----w C:\divx
2009-04-24 00:46 . 2009-04-28 23:22 -------- d-----w c:\documents and settings\Raymond\Tracing
2009-04-24 00:43 . 2009-04-24 00:43 -------- d-----w c:\program files\Microsoft
2009-04-24 00:43 . 2009-04-24 00:43 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-24 00:43 . 2009-04-24 00:43 -------- d-----w c:\program files\Windows Live
2009-04-24 00:40 . 2009-04-24 00:40 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-23 08:21 . 2009-04-23 08:21 -------- d-----w c:\program files\7-Zip
2009-04-22 09:12 . 2009-04-22 09:30 -------- d-----w c:\documents and settings\Raymond\Application Data\ICAClient
2009-04-22 09:10 . 2009-04-22 09:10 -------- d-----w c:\program files\Citrix
2009-04-16 13:48 . 2009-04-16 13:48 -------- d-----w c:\program files\Alwil Software
2009-04-15 18:31 . 2009-04-15 18:31 -------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-04-15 09:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:51 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 09:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 09:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:49 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 20:32 . 2009-04-13 20:32 -------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-13 19:56 . 2009-04-13 19:56 -------- d-----w c:\windows\Sun
2009-04-13 00:48 . 2009-04-13 00:48 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-12 20:50 . 2008-10-16 18:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-12 20:50 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-12 01:38 . 2009-04-12 01:38 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-07 17:08 . 2009-04-07 17:08 -------- d-----w c:\documents and settings\Raymond\Application Data\AdobeUM
2009-04-04 10:33 . 2009-04-04 10:33 -------- d-----w c:\documents and settings\Mom\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 04:37 . 2009-03-11 06:04 -------- d-----w c:\program files\zMUD
2009-04-28 10:06 . 2009-03-11 09:56 52 ----a-w c:\windows\popcinfot.dat
2009-04-28 10:06 . 2009-03-11 09:56 196 ---h--w c:\windows\popcreg.dat
2009-04-27 22:35 . 2009-03-14 09:39 -------- d-----w c:\program files\DivX
2009-04-27 22:33 . 2009-03-11 05:17 -------- d-----w c:\program files\Vuze
2009-04-27 22:32 . 2009-03-11 04:29 -------- d-----w c:\program files\VSO
2009-04-27 22:32 . 2009-03-11 04:29 47360 ----a-w c:\documents and settings\Raymond\Application Data\pcouffin.sys
2009-04-24 00:44 . 2009-03-11 04:34 74696 ----a-w c:\documents and settings\Raymond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 11:09 . 2009-03-11 10:57 74112 ----a-w c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 09:05 . 2009-03-11 22:23 74112 ----a-w c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 00:53 . 2006-11-13 17:01 -------- d-----w c:\program files\Microsoft Works
2009-03-21 18:54 . 2009-03-11 09:37 -------- d-----w c:\program files\PopCap Games
2009-03-18 17:10 . 2009-03-18 17:10 -------- d-----w c:\program files\Combined Community Codec Pack
2009-03-14 12:10 . 2009-03-14 12:10 -------- d-----w c:\program files\AC3Filter
2009-03-14 10:51 . 2009-03-14 10:51 -------- d-----w c:\program files\MSBuild
2009-03-14 10:51 . 2009-03-14 10:51 -------- d-----w c:\program files\Reference Assemblies
2009-03-11 22:23 . 2009-03-11 22:22 126 ----a-w c:\documents and settings\Mom\Local Settings\Application Data\fusioncache.dat
2009-03-11 10:57 . 2009-03-11 10:57 126 ----a-w c:\documents and settings\Dad\Local Settings\Application Data\fusioncache.dat
2009-03-11 10:04 . 2009-03-11 10:03 -------- d-----w c:\program files\funkitron
2009-03-11 09:41 . 2009-03-11 09:39 -------- d-----w c:\program files\Masque IGT Slots Little Green Men
2009-03-11 09:37 . 2009-03-11 09:37 0 ----a-w c:\windows\popcinfo.dat
2009-03-11 09:27 . 2009-03-10 18:20 130 ----a-w c:\documents and settings\Raymond\Local Settings\Application Data\fusioncache.dat
2009-03-11 06:00 . 2009-03-11 06:00 -------- d-----w c:\program files\CCleaner
2009-03-11 04:40 . 2009-03-11 04:40 0 ------w c:\documents and settings\Raymond\Application Data\wklnhst.dat
2009-03-11 04:29 . 2009-03-11 04:29 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-11 04:24 . 2009-03-11 04:24 -------- d-----w c:\program files\AviSynth 2.5
2009-03-11 04:24 . 2009-03-11 04:24 -------- d-----w c:\program files\Red Kawa
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\iTunes
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\iPod
2009-03-10 22:22 . 2009-03-10 22:21 -------- d-----w c:\program files\Common Files\Apple
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\Bonjour
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\QuickTime
2009-03-10 22:22 . 2009-03-10 22:22 -------- d-----w c:\program files\Apple Software Update
2009-03-10 21:40 . 2009-03-10 21:25 104253 ----a-w c:\windows\hpoins04.dat
2009-03-10 21:39 . 2009-03-10 21:27 -------- d-----w c:\program files\HP
2009-03-10 21:37 . 2009-03-10 21:37 -------- d-----w c:\program files\Common Files\HP
2009-03-10 21:35 . 2009-03-10 21:35 -------- d-----w c:\program files\Hewlett-Packard
2009-03-10 21:33 . 2009-03-10 21:33 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-10 20:18 . 2009-03-10 20:17 -------- d-----w c:\program files\Microsoft IntelliPoint
2009-03-10 20:17 . 2009-03-10 20:17 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-10 20:17 . 2009-03-10 20:17 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-03-10 20:16 . 2009-03-10 20:16 -------- d-----w c:\program files\Microsoft IntelliType Pro
2009-03-10 19:49 . 2006-11-13 16:59 -------- d-----w c:\program files\Google
2009-03-10 19:45 . 2006-11-13 16:54 -------- d-----w c:\program files\Common Files\Real
2009-03-10 19:44 . 2005-08-17 01:54 -------- d-----w c:\program files\GemMaster
2009-03-10 19:40 . 2006-11-13 16:54 -------- d-----w c:\program files\Common Files\AOL
2009-03-10 19:24 . 2009-03-10 19:24 -------- d-----w c:\program files\MSXML 4.0
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2009-03-10 18:49 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2009-03-10 18:49 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2009-03-10 18:49 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2009-03-10 18:49 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2009-03-10 18:49 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2009-03-10 18:49 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2009-03-10 18:49 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-28_23.06.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 12:07 . 2009-04-29 12:07 16384 c:\windows\Temp\Perflib_Perfdata_724.dat
+ 2006-11-13 17:02 . 2009-04-29 12:00 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-03-10 19:58 . 2009-04-29 12:01 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-03-10 19:58 . 2009-04-29 12:01 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-03-10 19:58 . 2009-04-29 12:01 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-03-10 19:58 . 2009-04-29 12:01 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-03-10 19:58 . 2009-04-29 12:01 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-11-13 17:02 . 2009-04-29 12:00 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-11-13 17:02 . 2009-04-15 12:01 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-03-10 19:58 . 2009-04-29 12:00 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-03-10 19:58 . 2009-04-29 12:00 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-03-10 19:58 . 2009-04-29 12:01 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-03-10 19:58 . 2009-04-29 12:01 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-03-10 19:58 . 2009-04-15 12:01 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-03-10 19:58 . 2009-04-29 12:00 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\zMUD\\Zmud.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50123:UDP"= 50123:UDP:Vuze
"50123:TCP"= 50123:TCP:Vuze

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {8DCCD0A9-D6B8-4E41-B898-C40FE0BBC75E} = 71.250.0.12,71.242.0.12
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-29 9:59
ComboFix-quarantined-files.txt 2009-04-29 13:58
ComboFix2.txt 2009-04-28 23:10

Pre-Run: 108,830,961,664 bytes free
Post-Run: 108,825,735,168 bytes free

282 --- E O F --- 2009-04-29 12:01
Upload was successful




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 16:30:33
Records in database: 2094719
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 65934
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:03:24

No malware has been detected. The scan area is clean.

The selected area was scanned.




As far as reporting how PC is running atm, seems smooth to me. So far, no crazy .dll popups as before. Only issues i've been having (and these may or may not be unrelated) are cpu hogging by System Idle Process and strange happenings in the taskbar notification area. By strange I mean items i ask to be hidden always/when inactive or always show don't always act as instructed. I used TaskbarRepairToolPlus! from Kellys-korner and it worked temporarily. After a reboot (or sometimes not) items in the taskbar revert back to where i dont want them, and/or drop back into the Past items category. Again, this may or not be related. Aside from what i just now mentioned, PC seems healthier = )

[TheBruce1]

Hello again

File was uploaded successfully, you should have allowed Combofix to update...no big deal.

Quote:

Only issues i've been having (and these may or may not be unrelated) are cpu hogging by System Idle Process

If System Idle Process is using about 80 to 90 CPU then that is normal, when System Idle Process is down to less that say 10, then something else is hogging CPU, the higher the CPU for System Idle Process is the better it is for your system.

Quote:

By strange I mean items i ask to be hidden always/when inactive or always show don't always act as instructed. I used TaskbarRepairToolPlus! from Kellys-korner and it worked temporarily. After a reboot (or sometimes not) items in the taskbar revert back to where i dont want them, and/or drop back into the Past items category. Again, this may or not be related. Aside from what i just now mentioned, PC seems healthier = )

This issue does not appear to be malware related. As our focus in this section is malware removal, you would be better served discussing your issues in the Windows XP section of this forum. Please let them know you've been cleared by the Virus/Trojan/Spyware Help Help section.

=========

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

• OutPost Free Firewall
• Online Armor Free
• PC Tools Firewall Plus Free

=========

If there are no further issues, continue below.

=========

Delete DDS from your desktop. You can keep ATF-Cleaner if you wish, otherwise delete from desktop.

==========

Well done, your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

==========

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.


Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.


For Internet Explorer users:
WOT for IE

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer

Firefox
Opera

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Malwarebytes ' Anti-Malware

SpywareBlaster to help prevent spyware from installing in the first place.

• Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items

------------------------------------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Secunia PSI is a programme that will alert you to vulnerabilities and outdated programs you have installed, such as Java, Flash Player and many more.

It can also alert you if you have not installed the latest patches from Microsoft.

==============================================

Also, please take a look at this well written article:

PC Safety and Security--What Do I Need?

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.

[Temilfist]

wow, ok. Alot going on there. Appreciate all your help! Just a few more questions, please:

* Using Windows Firewall at the moment. Is this not sufficient in and of itself? Or should i consider adding one of those you reccomended as a second? Or do i disable Windows Firewall and just run one of the reccomendations?

*I've had Automatic Updates on. I wonder if any of that malware disabled it. But just double-checked now, its On.

*There is still a Combofix directory in C: .. can i safely delete it now?

Again, thanks for all your help and advice!

[TheBruce1]

Quote:

* Using Windows Firewall at the moment. Is this not sufficient in and of itself? Or should i consider adding one of those you reccomended as a second? Or do i disable Windows Firewall and just run one of the reccomendations?

Windows firewall only offers inbound protection, the programs that i have recommended offer two way protection...inbound and outbound. So if a malicious file wishes to communicate with it`s server then the windows firewall will not stop it from doing so, a two way firewall may.

Quote:

*I've had Automatic Updates on. I wonder if any of that malware disabled it. But just double-checked now, its On.

Windows automactic updates were indeed turned off by the malware infection, i switched it back on for you.

One other thing, why would you want to hide all you icons, i can see the point of hiding inactive icons, but not all. I can see no benefit to doing this and how would you know if say Avast was disabled, if all your icons were hidden?

Quote:

*There is still a Combofix directory in C: .. can i safely delete it now?

If you have used the Combofix uninstall command and that folder is still present, yes you can delete it.

[Temilfist]

ok, i didn't mean to imply i wanted all icons hidden. In fact, Avast was one of the ones i wanted to 'always show', yet it (and a few others) keep hiding or disappearing altogether (dropping into past items list). But, as you mentioned, this is probably best handled in the Xp forum. I'm sure you've got your hands full here. Again, THANKS, TheBruce1! Appreciate all your help = )

[TheBruce1]

You`re welcome