Overwhelmed by Infection

Cutolo · January 6, 2009

Hi again, I made a topic earlier for a friend because his computer has an infection and cannot fix it. I was unable to post over the holidays.

The original topic was http://www.malwarebytes.org/forums/index.p...amp;#entry40841

My friend tells me he followed the most recent steps that were given, and says both C:\WINDOWS\system32\rumilula.dll and C:\WINDOWS\system32\jebifoye.dll were not found and were deleted in the first step. And these were his results:

Malwarebytes' Anti-Malware 1.31

Database version: 1544

Windows 5.1.2600 Service Pack 2

2008-12-25 15:23:19

mbam-log-2008-12-25 (15-23-19).txt

Scan type: Quick Scan

Objects scanned: 76148

Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\zejitune.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OTListIt logfile created on: 2008-12-25 15:26:41 - Run 2

OTListIt2 by OldTimer - Version 1.0.1.0 Folder = C:\Documents and Settings\Kevin Wu\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000804 | Country: People's Republic of China | Language: CHS | Date Format: yyyy-M-d

1013.10 Mb Total Physical Memory | 486.76 Mb Available Physical Memory | 48.05% Memory free

2.38 Gb Paging File | 1.86 Gb Available in Paging File | 78.11% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 229.47 Gb Total Space | 171.14 Gb Free Space | 74.58% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: WUDELL530JUNE08

Current User Name: Kevin Wu

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== Processes (SafeList) ==========

[2008-01-08 19:43:58 | 00,149,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

[2008-09-10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

[2007-07-16 19:45:24 | 00,142,104 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe

[2007-07-16 19:45:12 | 00,162,584 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe

[2007-07-16 19:45:14 | 00,138,008 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe

[2007-07-16 19:48:52 | 16,132,608 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE

[2007-09-17 11:56:08 | 00,124,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[2007-07-16 19:45:24 | 00,252,696 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe

[2008-05-07 13:07:31 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[2004-10-20 08:40:04 | 00,034,904 | R--- | M] (America Online) -- C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[2008-01-08 19:43:58 | 00,149,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

[2004-10-18 17:42:18 | 00,079,448 | ---- | M] () -- C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe

[2008-08-13 23:04:42 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[2008-06-10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[2008-09-06 14:09:14 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe

[2008-03-25 15:21:28 | 00,050,528 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe

[2003-10-29 02:06:00 | 00,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe

[2008-05-07 13:07:31 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[2007-05-25 12:16:08 | 00,042,032 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe

[2008-07-21 19:42:28 | 03,050,832 | ---- | M] (Xfire Inc.) -- C:\Program Files\Xfire\xfire.exe

[2004-10-20 08:40:04 | 00,010,328 | R--- | M] (America Online) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

[2004-10-15 15:54:14 | 00,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

[2008-08-29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

[2004-10-15 15:54:12 | 00,046,768 | ---- | M] (America Online Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

[2008-08-29 19:22:06 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe

[2008-11-26 19:13:19 | 00,202,352 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrB.exe

[2008-08-13 23:04:44 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe

[2004-09-15 05:27:54 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe

[2007-01-04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

[2004-08-04 05:00:00 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe

[2004-11-03 16:03:00 | 00,125,528 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\1210184228\EE\AOLHostManager.exe

[2004-11-03 16:03:00 | 00,110,680 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\1210184228\EE\AOLServiceHost.exe

[2004-08-04 05:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe

[2008-06-10 03:27:03 | 00,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

[2008-05-07 13:12:12 | 01,245,064 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[2008-12-25 15:25:08 | 00,419,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Wu\Desktop\OTListIt2.exe

========== (O23) Win32 Services (SafeList) ==========

[2008-09-10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])

[2004-10-20 08:40:04 | 00,010,328 | R--- | M] (America Online) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS [Auto | Running])

[2004-10-15 15:54:14 | 00,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor [Auto | Running])

[2005-09-23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2008-01-08 19:45:28 | 00,243,064 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Disabled | Stopped])

[2008-08-29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])

[2008-01-08 19:43:58 | 00,149,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [On_Demand | Running])

[2008-01-08 19:43:58 | 00,149,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])

[2005-09-23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

[2008-01-08 19:43:58 | 00,149,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService [Auto | Running])

[2008-01-08 19:41:52 | 00,055,640 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost [On_Demand | Stopped])

[2008-12-21 18:43:29 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])

[2006-10-20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

[2008-05-07 13:07:31 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-010708-104812 [On_Demand | Stopped])

[2008-05-07 13:13:48 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist [On_Demand | Stopped])

[2006-10-30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

[2008-01-08 19:45:36 | 03,192,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate [On_Demand | Stopped])

[2008-01-08 19:43:58 | 00,149,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice [Auto | Running])

[2006-10-30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

[2008-08-29 19:22:06 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])

[2008-11-26 19:13:19 | 00,202,352 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrB.exe -- (PnkBstrB [Auto | Running])

[2008-08-13 23:04:44 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter [Auto | Running])

[2007-12-02 18:34:30 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])

[2008-05-07 13:12:12 | 01,245,064 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [On_Demand | Running])

[2004-09-15 05:27:54 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])

[2007-01-04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])

========== Driver Services (SafeList) ==========

[2001-08-17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Disabled | Stopped])

[2004-08-03 23:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\AMDAGP.SYS -- (amdagp [Disabled | Stopped])

[2001-08-17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Disabled | Stopped])

[2001-08-17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Disabled | Stopped])

[2008-05-07 13:17:48 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM [Auto | Running])

[2001-08-17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Disabled | Stopped])

[2008-01-08 19:38:04 | 00,036,056 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\CO_Mon.sys -- (CO_Mon [Auto | Running])

[2001-08-17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])

[2001-08-17 12:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Stopped])

[2007-07-19 22:10:10 | 00,254,872 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express [On_Demand | Running])

[2008-09-17 09:57:04 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [system | Running])

[2008-09-17 09:57:04 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])

[2004-08-04 05:00:00 | 00,012,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga [system | Running])

[2004-08-12 17:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus [On_Demand | Running])

[2003-11-17 14:59:20 | 00,212,224 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])

[2003-11-17 14:56:26 | 01,042,432 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP [On_Demand | Running])

[2007-07-16 19:45:26 | 05,760,096 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm [On_Demand | Running])

[2007-07-19 18:26:24 | 00,304,920 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iastor.sys -- (iaStor [boot | Running])

[2007-07-16 19:48:54 | 04,403,712 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])

[2004-08-03 22:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [system | Running])

[2003-04-09 11:48:08 | 00,011,043 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])

[2001-08-17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])

[2001-08-17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Disabled | Stopped])

[2004-11-13 08:41:08 | 00,029,696 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\Local Settings\Temp\musbehco.sys -- (musbehco [On_Demand | Stopped])

[2008-03-20 01:00:00 | 00,082,256 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080320.009\NAVENG.SYS -- (NAVENG [On_Demand | Running])

[2008-03-20 01:00:00 | 00,895,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080320.009\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])

[2004-08-03 22:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])

[2008-11-26 19:13:28 | 00,138,624 | ---- | M] () -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK [On_Demand | Stopped])

[2004-08-04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])

[2007-11-14 03:00:00 | 00,043,840 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [boot | Running])

[2001-08-17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Disabled | Stopped])

[2001-08-17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Disabled | Stopped])

[2001-08-17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Disabled | Stopped])

[2007-11-13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])

[2004-08-03 23:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\SISAGP.SYS -- (sisagp [Disabled | Stopped])

[2001-08-17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Disabled | Stopped])

[2008-01-08 19:46:12 | 00,446,512 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])

[2008-11-28 14:06:50 | 00,717,296 | ---- | M] () -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd [boot | Running])

[2008-01-08 19:46:24 | 00,278,576 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP [On_Demand | Running])

[2008-01-08 19:46:24 | 00,317,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL [On_Demand | Stopped])

[2008-01-08 19:46:26 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX [system | Running])

[2001-08-17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])

[2001-08-17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])

[2008-05-07 13:12:52 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])

[2008-01-08 19:39:06 | 00,158,072 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SymcData\ipsdefs\20070823.002\SymIDSCo.sys -- (SYMIDSCO [On_Demand | Stopped])

[2008-01-08 19:46:44 | 00,031,280 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM [On_Demand | Stopped])

[2008-01-08 19:46:44 | 00,031,280 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP [On_Demand | Running])

[2008-01-08 19:46:48 | 00,022,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Running])

[2008-01-08 19:46:48 | 00,188,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [system | Running])

[2001-08-17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])

[2001-08-17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])

[2001-08-17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Disabled | Stopped])

[2003-01-10 15:13:04 | 00,033,588 | R--- | M] (America Online, Inc.) -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw [On_Demand | Running])

[2003-11-17 14:58:02 | 00,680,704 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

URLSearchHook: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - Reg Error: Key does not exist or could not be opened. File not found

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-2813340832-212465457-4230175775-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080507

HKU\S-1-5-21-2813340832-212465457-4230175775-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\S-1-5-21-2813340832-212465457-4230175775-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us

HKU\S-1-5-21-2813340832-212465457-4230175775-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

URLSearchHook: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - Reg Error: Key does not exist or could not be opened. File not found

HKU\S-1-5-21-2813340832-212465457-4230175775-1008\S-1-5-21-2813340832-212465457-4230175775-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-2813340832-212465457-4230175775-1008\S-1-5-21-2813340832-212465457-4230175775-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()

O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()

O3 - HKCU\..\Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKU\S-1-5-21-2813340832-212465457-4230175775-1008\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-2813340832-212465457-4230175775-1008\..\Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()

O3 - HKU\S-1-5-21-2813340832-212465457-4230175775-1008\..\Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKU\S-1-5-21-2813340832-212465457-4230175775-1008\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" ()

O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (America Online)

O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)

O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)

O4 - HKLM..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" ( )

O4 - HKLM..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup (Google)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)

O4 - HKLM..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT (Symantec Corporation)

O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()

O4 - HKLM..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" (Symantec Corporation)

O4 - HKLM..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" (CyberLink Corp.)

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)

O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)

O4 - HKCU..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (Adobe Systems Incorporated)

O4 - HKCU..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

O4 - HKU\S-1-5-21-2813340832-212465457-4230175775-1008..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (Adobe Systems Incorporated)

O4 - HKU\S-1-5-21-2813340832-212465457-4230175775-1008..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\Kevin Wu\Start Menu\Programs\Startup\Registration Chessmaster 10th Edition.LNK = C:\Program Files\Ubisoft\Chessmaster 10th Edition\Register\RegistrationReminder.exe File not found

O4 - Startup: C:\Documents and Settings\Kevin Wu\Start Menu\Programs\Startup\Xfire.lnk = C:\Program Files\Xfire\xfire.exe (Xfire Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2813340832-212465457-4230175775-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)

O9 - Extra Button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx (SpinTop DRM Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (MaxisSimCity4LotTeleX Control)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file://C:\Program Files\SCRABBLE\Images\armhelper.ocx (ArmHelper Control)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - ms-itss - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O20 - See sections below for AppInitDlls and Winlogon settings

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]

GoToAssist: "DllName" = C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll -- C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)

igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []

[2004-08-11 17:15:00 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f4bfbef-4058-11dd-b832-001d0996e3d9}\Shell]

"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f4bfbef-4058-11dd-b832-001d0996e3d9}\Shell\AutoRun]

"" = Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f4bfbef-4058-11dd-b832-001d0996e3d9}\Shell\AutoRun\command]

"" = I:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]

[2008-12-25 15:25:07 | 00,419,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin Wu\Desktop\OTListIt2.exe

[2008-12-23 19:36:19 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\7304cd.dll

[2008-12-23 19:36:19 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\1ef59d30.dll

[2008-12-22 15:49:50 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Kevin Wu\My Documents\~$e Sagittarius Dwarf Elliptical Galaxy is the third closest neighboring galaxy to the Milky Way Galaxy.doc

[2008-12-22 14:19:07 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\6774970.dll

[2008-12-22 14:19:07 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\1d325fa6.dll

[2008-12-22 12:27:31 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\2d663f8.dll

[2008-12-22 12:27:31 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\24cddc5e.dll

[2008-12-22 12:21:01 | 00,029,696 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\My Documents\The Sagittarius Dwarf Elliptical Galaxy is the third closest neighboring galaxy to the Milky Way Galaxy.doc

[2008-12-21 19:07:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet

[2008-12-21 18:43:29 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared

[2008-12-21 18:37:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Desktop\Adobe CS3

[2008-12-21 14:43:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Desktop\Adobe Photoshop

[2008-12-21 13:04:03 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\a873782.dll

[2008-12-21 13:04:03 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\22f87d98.dll

[2008-12-19 21:44:49 | 01,661,209 | -HS- | C] () -- C:\WINDOWS\System32\phebddfg.ini

[2008-12-19 21:38:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Application Data\Twain

[2008-12-19 21:27:17 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\Desktop\HijackThis.lnk

[2008-12-19 21:27:16 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2008-12-19 21:26:33 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Kevin Wu\Desktop\HJTInstall.exe

[2008-12-19 21:00:44 | 01,241,430 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\Desktop\ccf.bmp

[2008-12-19 19:15:51 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\5a3a2e3.dll

[2008-12-19 19:15:51 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\125c5519.dll

[2008-12-19 19:15:50 | 01,689,088 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\5272124.dll

[2008-12-19 19:15:49 | 01,689,088 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\4549a68.dll

[2008-12-19 19:13:21 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\340a640.dll

[2008-12-19 19:13:20 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\79ec4ef.dll

[2008-12-19 19:13:18 | 01,689,088 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\12ab6fc3.dll

[2008-12-19 19:13:15 | 01,689,088 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\2086612e.dll

[2008-12-19 02:03:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Desktop\Word

[2008-12-19 01:12:10 | 00,038,912 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2008-12-19 00:08:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Application Data\Apple Computer

[2008-12-19 00:08:18 | 00,001,592 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk

[2008-12-19 00:08:01 | 00,000,000 | ---D | C] -- C:\Program Files\Safari

[2008-12-17 20:41:59 | 01,689,088 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\2a5dd9b7.dll

[2008-12-17 20:41:59 | 01,689,088 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\290161e3.dll

[2008-12-17 20:41:59 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\8f112b.dll

[2008-12-17 20:41:59 | 00,082,944 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\1e7eb35f.dll

[2008-12-15 20:49:25 | 00,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk

[2008-12-15 20:49:25 | 00,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2008-12-15 20:49:16 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft

[2008-12-15 20:49:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

[2008-12-15 20:48:14 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2008-12-15 20:36:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Application Data\Malwarebytes

[2008-12-15 20:36:00 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2008-12-15 20:36:00 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2008-12-15 20:35:58 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2008-12-15 20:35:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2008-12-15 20:35:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2008-12-15 20:14:57 | 00,000,300 | ---- | C] () -- C:\WINDOWS\tasks\mxerfmdi.job

[2008-12-15 20:14:53 | 00,070,144 | ---- | C] () -- C:\WINDOWS\System32\wvUkLBUK.dll

[2008-12-15 19:28:05 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight

[2008-12-11 19:38:03 | 00,000,000 | ---D | C] -- C:\Program Files\Ant Stratego

[2008-12-11 17:14:34 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\My Documents\My name is Kevin Jiahou Wu and I am 12 years old.doc

[2008-12-09 20:31:53 | 02,359,350 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\Desktop\Custom.bmp

[2008-12-08 22:55:37 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2008-12-06 18:38:38 | 00,091,648 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\My Documents\mizemily11.doc

[2008-12-06 17:28:17 | 00,009,728 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008-12-03 23:16:06 | 00,763,392 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\My Documents\Doc4.doc

[2008-11-29 14:07:09 | 00,208,896 | ---- | C] (ToMMTi-Systems (http://www.tommti-systems.com)) -- C:\Documents and Settings\Kevin Wu\Desktop\3DAnalyze.exe

[2008-11-29 14:07:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Desktop\images

[2008-11-29 13:52:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Local Settings\Application Data\Fallout3

[2008-11-29 13:44:22 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild

[2008-11-29 13:41:47 | 00,001,841 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\Desktop\Fallout 3.lnk

[2008-11-29 13:41:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Fallout3

[2008-11-29 13:41:40 | 00,000,000 | ---D | C] -- C:\Program Files\Bethesda Softworks

[2008-11-29 13:40:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer

[2008-11-29 13:39:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us

[2008-11-29 13:39:16 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies

[2008-11-29 13:38:45 | 00,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll

[2008-11-29 13:37:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\xlive

[2008-11-28 14:13:42 | 00,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Toolbar

[2008-11-28 14:06:50 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2008-11-28 14:06:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Application Data\DAEMON Tools

[2008-11-28 13:42:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Wu\Desktop\Fallout3

[2008-11-28 12:29:41 | 00,313,344 | ---- | C] () -- C:\Documents and Settings\Kevin Wu\Desktop\hjsplit.exe

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]

[1 C:\WINDOWS\*.tmp files]

[9 C:\Documents and Settings\Kevin Wu\My Documents\*.tmp files]

[2008-12-25 15:25:08 | 00,419,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Wu\Desktop\OTListIt2.exe

[2008-12-25 15:06:09 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\Desktop\Microsoft Word.lnk

[2008-12-25 15:00:00 | 00,000,300 | ---- | M] () -- C:\WINDOWS\tasks\mxerfmdi.job

[2008-12-24 21:02:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2008-12-24 18:00:00 | 00,000,414 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Kevin Wu.job

[2008-12-24 13:15:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2008-12-24 13:15:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2008-12-24 13:15:09 | 10,623,87712 | -HS- | M] () -- C:\hiberfil.sys

[2008-12-24 13:01:07 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\bapomeho

[2008-12-22 15:49:50 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Kevin Wu\My Documents\~$e Sagittarius Dwarf Elliptical Galaxy is the third closest neighboring galaxy to the Milky Way Galaxy.doc

[2008-12-22 12:22:46 | 01,497,432 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2008-12-22 12:21:04 | 00,029,696 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\My Documents\The Sagittarius Dwarf Elliptical Galaxy is the third closest neighboring galaxy to the Milky Way Galaxy.doc

[2008-12-22 11:18:05 | 00,009,728 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008-12-19 21:44:53 | 01,661,209 | -HS- | M] () -- C:\WINDOWS\System32\phebddfg.ini

[2008-12-19 21:27:17 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\Desktop\HijackThis.lnk

[2008-12-19 21:26:47 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Kevin Wu\Desktop\HJTInstall.exe

[2008-12-19 01:12:10 | 00,038,912 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat

[2008-12-19 00:08:18 | 00,001,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk

[2008-12-18 08:31:36 | 01,241,430 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\Desktop\ccf.bmp

[2008-12-17 23:05:35 | 00,093,831 | -HS- | M] () -- C:\WINDOWS\System32\vojijaje.dll

[2008-12-15 20:49:25 | 00,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk

[2008-12-15 20:49:25 | 00,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2008-12-15 20:36:00 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2008-12-15 20:29:05 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk

[2008-12-15 20:14:54 | 00,070,144 | ---- | M] () -- C:\WINDOWS\System32\wvUkLBUK.dll

[2008-12-12 03:03:35 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2008-12-11 17:19:34 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\My Documents\My name is Kevin Jiahou Wu and I am 12 years old.doc

[2008-12-08 22:55:37 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2008-12-08 07:58:38 | 02,359,350 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\Desktop\Custom.bmp

[2008-12-06 18:38:38 | 00,091,648 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\My Documents\mizemily11.doc

[2008-12-03 23:16:07 | 00,763,392 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\My Documents\Doc4.doc

[2008-12-03 19:52:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2008-12-03 19:52:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2008-11-29 19:56:33 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2008-11-29 13:45:31 | 00,437,838 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2008-11-29 13:45:30 | 00,515,720 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2008-11-29 13:45:30 | 00,070,932 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2008-11-29 13:41:47 | 00,001,841 | ---- | M] () -- C:\Documents and Settings\Kevin Wu\Desktop\Fallout 3.lnk

[2008-11-28 14:06:50 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2008-11-26 19:13:28 | 00,138,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys

[2008-11-26 19:13:19 | 00,202,352 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable

< End of report >

Thank you in advance.

AdvancedSetup · January 6, 2009

Okay, well you need to be on the computer this is happening on and update MBAM, that version is a bit old now.

Malwarebytes' Anti-Malware

Start MalwareBytes AntiMalware
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
[*]When the update is complete, select the Scanner tab
[*]Select Perform quick scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and run a new HJT Scan and Save log.

Post back NEW MBAM and HJT logs please.

Cutolo · January 7, 2009

Malwarebytes Scan

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\vojijaje.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

~~~~~~~~~~~~~~~~~~~~~~~~

HijackThis Scan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:22:41, on 2009-1-7

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Xfire\xfire.exe

C:\PROGRA~1\COMMON~1\AOL\121018~1\EE\AOLHOS~1.EXE

C:\PROGRA~1\COMMON~1\AOL\121018~1\EE\AOLServiceHost.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKUS\S-1-5-20\..\Run: [gagefizeji] Rundll32.exe "C:\WINDOWS\system32\refajako.dll",s (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Registration Chessmaster 10th Edition.LNK = C:\Program Files\Ubisoft\Chessmaster 10th Edition\Register\RegistrationReminder.exe

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx

O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx

O20 - AppInit_DLLs: c:\windows\ C:\WINDOWS\system32\molepivu.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Bonjour ?? (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 10010 bytes

AdvancedSetup · January 7, 2009

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member

Cutolo only

. If you are a lurker, do NOT try this on your system!

If you are not

Cutolo

and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

STEP01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP02

Download and install

CCleaner

CCleaner
Double-click on the downloaded file "ccsetup215.exe" and install the application.
Keep the default installation folder "C:\Program Files\CCleaner"
Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
Click finish when done and close
ALL PROGRAMS
Start the
CCleaner
program.
Click on
Registry
and
Uncheck
Registry Integrity so that it does not run
Click on
Options
-
Advanced
and
Uncheck
"Only delete files in Windows Temp folders older than 48 hours"
Click back to
Cleaner
and under SYSTEM uncheck the Memory Dumps and Windows Log Files
Click on
Run Cleaner
button on the bottom right side of the program.
Click OK to any prompts

STEP03

Disable your AntiVirus and AntiSpyware

applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

This should apply to AVG8:

To

disable the Resident Shield

, please:

open AVG User Interface

double-click on the Resident Shield

un-tick the option Resident Shield active

save the changes.

STEP04

Please download and run the following file to repair file and registry permissions

fixacl.exe

STEP05

Download
FixPolicies.exe
by Bill Castner and save it to your desktop.
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on
Fix_policies.cmd
to run it. Command Prompt will open and close quickly this is normal.
Reboot your computer after it runs
This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06

Download this INF repair file by MS-MVP Miekiemoes:

http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder

VArestorepolicies

and

Right-click

the file inside,

VArestorepolicies.INF

and choose

Install

STEP07

Run this file after to remove an invalid startup entry. Double click and say Yes to import the settings.

clearinit.reg

STEP08

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware
applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe & follow the prompts.
If and only if you are prompted to download a new version of Combofix, reply NO .
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF

you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the

C:\ComboFix.txt

in your next reply.

-------------------------------------------------------

A caution -

Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

Please then reply with a copy of

C:\Combofix.txt

and a new

HijackThis

and advise, How is your system running now and are there still any signs of an infection?

RE-Enable your AntiVirus and AntiSpyware

applications.

Cutolo · January 9, 2009

ComboFix 09-01-07.02 - Kevin Wu 2009-01-07 22:35:02.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.1013.510 [GMT -5:00]

磅︽竚: c:\documents and settings\Kevin Wu\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( 砆埃郎 )))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Previous Run -------

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\IE4 Error Log.txt

c:\windows\system32\fiwevoga.dll

c:\windows\system32\nadohipi.dll

c:\windows\system32\nazudeyu.dll

c:\windows\system32\pukoluda.dll

c:\windows\system32\wewemeve.dll

c:\windows\system32\wumagife.dll

c:\windows\system32\x64

c:\windows\Tasks\mxerfmdi.job

.

((((((((((((((((((((((((( 2008-12-08  2009-01-08 穝郎 )))))))))))))))))))))))))))))))

.

2009-01-07 22:05 . 2009-01-07 22:05 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-07 21:44 . 2009-01-07 21:44 <DIR> d-------- c:\program files\CCleaner

2009-01-07 17:28 . 2009-01-07 17:28 <DIR> d-------- c:\program files\MC2

2008-12-29 16:23 . 2008-12-29 16:23 <DIR> d-------- c:\program files\ReaSoft

2008-12-29 16:23 . 2008-12-29 16:23 <DIR> d-------- c:\documents and settings\Kevin Wu\Application Data\ReaSoft

2008-12-23 19:36 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\7304cd.dll

2008-12-23 19:36 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\1ef59d30.dll

2008-12-22 14:19 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\6774970.dll

2008-12-22 14:19 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\1d325fa6.dll

2008-12-22 12:27 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\2d663f8.dll

2008-12-22 12:27 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\24cddc5e.dll

2008-12-21 19:07 . 2008-12-21 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet

2008-12-21 18:43 . 2008-12-21 18:43 <DIR> d-------- c:\program files\Common Files\Macrovision Shared

2008-12-21 13:04 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\a873782.dll

2008-12-21 13:04 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\22f87d98.dll

2008-12-19 21:44 . 2008-12-19 21:44 1,661,209 ---hs---- c:\windows\system32\phebddfg.ini

2008-12-19 21:38 . 2008-12-19 21:52 <DIR> d-------- c:\documents and settings\Kevin Wu\Application Data\Twain

2008-12-19 21:27 . 2008-12-19 21:27 <DIR> d-------- c:\program files\Trend Micro

2008-12-19 19:15 . 2004-08-04 05:00 1,689,088 ---h---t- c:\windows\system32\5272124.dll

2008-12-19 19:15 . 2004-08-04 05:00 1,689,088 ---h---t- c:\windows\system32\4549a68.dll

2008-12-19 19:15 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\5a3a2e3.dll

2008-12-19 19:15 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\125c5519.dll

2008-12-19 19:13 . 2004-08-04 05:00 1,689,088 ---h---t- c:\windows\system32\2086612e.dll

2008-12-19 19:13 . 2004-08-04 05:00 1,689,088 ---h---t- c:\windows\system32\12ab6fc3.dll

2008-12-19 19:13 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\79ec4ef.dll

2008-12-19 19:13 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\340a640.dll

2008-12-19 01:12 . 2008-12-27 16:45 38,208 --ah----- c:\windows\system32\mlfcache.dat

2008-12-19 00:08 . 2008-12-19 00:08 <DIR> d-------- c:\program files\Safari

2008-12-19 00:08 . 2008-12-19 00:08 <DIR> d-------- c:\documents and settings\Kevin Wu\Application Data\Apple Computer

2008-12-17 20:41 . 2004-08-04 05:00 1,689,088 ---h---t- c:\windows\system32\2a5dd9b7.dll

2008-12-17 20:41 . 2004-08-04 05:00 1,689,088 ---h---t- c:\windows\system32\290161e3.dll

2008-12-17 20:41 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\8f112b.dll

2008-12-17 20:41 . 2004-08-04 05:00 82,944 ---h---t- c:\windows\system32\1e7eb35f.dll

2008-12-15 20:49 . 2008-12-15 20:49 <DIR> d-------- c:\program files\Lavasoft

2008-12-15 20:49 . 2009-01-07 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-15 20:36 . 2008-12-15 20:36 <DIR> d-------- c:\documents and settings\Kevin Wu\Application Data\Malwarebytes

2008-12-15 20:36 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-15 20:35 . 2009-01-07 16:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-15 20:35 . 2008-12-15 20:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-15 20:35 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-15 20:14 . 2008-12-15 20:14 70,144 --a------ c:\windows\system32\wvUkLBUK.dll

2008-12-15 19:28 . 2008-12-15 19:28 <DIR> d-------- c:\program files\Microsoft Silverlight

2008-12-11 19:38 . 2008-12-11 19:48 <DIR> d-------- c:\program files\Ant Stratego

.

(((((((((((((((((((((((((((((((((((((((( るず砆э郎 ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-08 03:07 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-08 03:05 --------- d-----w c:\program files\Symantec

2009-01-08 03:05 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-08 03:02 --------- d-----w c:\program files\Norton Security Scan

2009-01-07 22:28 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-07 20:29 202,352 ----a-w c:\windows\system32\PnkBstrB.exe

2009-01-07 20:29 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-01-07 20:29 --------- d-----w c:\documents and settings\Kevin Wu\Application Data\Xfire

2008-12-29 02:20 --------- d--h--w c:\documents and settings\Kevin Wu\Application Data\ijjigame

2008-12-29 02:19 --------- d-----w c:\documents and settings\All Users\Application Data\IJJIGame

2008-12-24 17:53 --------- d-----w c:\program files\DAEMON Tools Toolbar

2008-12-22 00:00 --------- d-----w c:\program files\Common Files\Adobe

2008-12-12 17:33 3,060,224 ------w c:\windows\system32\dllcache\mshtml.dll

2008-11-29 18:44 --------- d-----w c:\program files\MSBuild

2008-11-29 18:41 --------- d-----w c:\program files\Bethesda Softworks

2008-11-29 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3

2008-11-29 18:39 --------- d-----w c:\program files\Reference Assemblies

2008-11-28 19:06 717,296 ----a-w c:\windows\system32\drivers\sptd.sys

2008-11-28 19:06 --------- d-----w c:\documents and settings\Kevin Wu\Application Data\DAEMON Tools

2008-11-16 16:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-16 02:37 --------- d-----w c:\program files\SCRABBLE

2008-11-16 02:37 --------- d-----w c:\documents and settings\Kevin Wu\Application Data\SpinTop

2008-11-16 00:24 --------- d-----w c:\program files\Cheat Engine

2008-11-12 00:54 --------- d-----w c:\program files\DriftCity

2008-11-12 00:54 --------- d-----w c:\documents and settings\Kevin Wu\Application Data\NPLUTO Corporation

2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 09:45 18,432 ------w c:\windows\system32\dllcache\iedw.exe

2008-09-16 22:59 40,560 ----a-w c:\documents and settings\Kevin Wu\Application Data\GDIPFONTCACHEV1.DAT

2008-08-28 17:13 0 ----a-w c:\documents and settings\Kevin Wu\jagex_runescape_preferences.dat

2008-06-08 03:29 174 ----a-w c:\documents and settings\Shuhua Wu\Application Data\wklnhst.dat

2008-09-27 13:02 63,537 --sha-w c:\windows\system32\famuheno.dll

2008-09-27 13:02 63,537 --sha-w c:\windows\system32\mufofula.dll

2008-09-22 08:00 63,566 --sha-w c:\windows\system32\paselilu.dll

2008-09-26 12:00 63,723 --sha-w c:\windows\system32\pitibaya.dll

2008-09-29 15:06 63,599 --sha-w c:\windows\system32\pivafado.dll

2008-09-29 15:06 63,599 --sha-w c:\windows\system32\rizewilo.dll

2008-09-26 12:00 63,723 --sha-w c:\windows\system32\totoyiru.dll

2008-09-22 08:00 63,566 --sha-w c:\windows\system32\werudowi.dll

.

((((((((((((((((((((((((((((((((((((( 璶祅翴 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*猔種* フ籔猭祅魁盢ぃ穦砆陪ボ

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-07 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-07 29744]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]

"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-05-07 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-05-07 13:13 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1210184228\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=

"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\ijji\\ENGLISH\\u_gunz.exe"=

"c:\\ijji\\ENGLISH\\u_sf.exe"=

"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe

"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe

"c:\\Nexon\\Combat Arms\\NMService.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization IV\\Civilization4.exe"=

"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\City Interactive\\WWII Pacific Heroes\\pacific.exe"=

"c:\\Program Files\\America's Army Deploy Client\\AADeployClient.exe"=

"c:\\ijji\\ENGLISH\\u_skid.exe"=

"c:\\Program Files\\DriftCity\\DriftCity.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-06-09 24652]

S3 musbehco;musbehco;\??\c:\docume~1\KEVINW~1\LOCALS~1\Temp\musbehco.sys --> c:\docume~1\KEVINW~1\LOCALS~1\Temp\musbehco.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - Bonjour Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4bfbef-4058-11dd-b832-001d0996e3d9}]

\Shell\AutoRun\command - I:\LaunchU3.exe -a

.

ˉ璸购ヴ叭ˇ ゅンЖ 柑ず甧

2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-07 c:\windows\Tasks\Norton Security Scan for Kevin Wu.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

.

------- τ苯磞 -------

.

uStart Page = hxxp://www.daemon-search.com/startpage

mStart Page = hxxp://www.dell.com

uInternet Settings,ProxyOverride = *.local

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}

file://c:\program files\SCRABBLE\Images\stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}

file://c:\program files\SCRABBLE\Images\armhelper.ocx

FF - ProfilePath - c:\documents and settings\Kevin Wu\Application Data\Mozilla\Firefox\Profiles\brmcdg3h.default\

FF - prefs.js: browser.search.selectedEngine - DAEMON Search

FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage

FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-07 22:35:43

Windows 5.1.2600 Service Pack 2 NTFS

苯磞砆留旅秈祘 ...

苯磞砆留旅币笆舱

苯磞砆留旅ゅン

苯磞ЧΘ

砆留旅郎: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2813340832-212465457-4230175775-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12FCEEB9-CBF7-5726-1713-3B09EBBF20F3}*NULL*]

@Allowed: (Read) (RestrictedCode)

"iaoamhikbofbmhlono"=hex:6b,61,6b,66,70,64,66,68,6d,6f,62,6e,6c,6e,6c,67,6d,66,\

61,6c,68,66,00,00

"hainchigpohfpdbh"=hex:6b,61,6a,66,65,64,6b,6d,68,62,6c,66,6a,66,62,69,6b,70,\

69,6d,6d,6f,00,00

.

--------------------- 笲︽秈祘笆篈渺钡畐 ---------------------

- - - - - - - > 'winlogon.exe'(736)

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

.

ЧΘ丁: 2009-01-07 22:36:37

ComboFix-quarantined-files.txt 2009-01-08 03:36:35

Pre-Run: 182,467,878,912 bytes free

Post-Run: 182,458,228,736 bytes free

273 --- E O F --- 2009-01-02 19:59:40

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:40:23, on 2009-1-7

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Xfire\xfire.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\PROGRA~1\COMMON~1\AOL\121018~1\EE\AOLHOS~1.EXE

C:\PROGRA~1\COMMON~1\AOL\121018~1\EE\AOLServiceHost.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\WINDOWS\system32\conime.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)