micro antivirus 2009 here is my hjt log

its basically a fake anti virus that keeps poping up fake detections and trying to open ie to a unknown page. i would apriciate it of someone could help me remove this. thanks for reading

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:53 AM, on 9/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\YURF0B7.exe
C:\Windows\System32\YURF2AB.exe
C:\Windows\System32\YURF6F1.exe
C:\Windows\System32\YURFABA.exe
C:\Windows\System32\YUR7BE8.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\MicroAV\MicroAV.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {2DD20DA4-14CD-4DE1-B413-632F3BCB703F} - C:\Windows\system32\cBSkljjK.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [\YURF0B7.exe] C:\Windows\system32\YURF0B7.exe
O4 - HKLM\..\Run: [\YURF2AB.exe] C:\Windows\system32\YURF2AB.exe
O4 - HKLM\..\Run: [\YURF6F1.exe] C:\Windows\system32\YURF6F1.exe
O4 - HKLM\..\Run: [\YURFABA.exe] C:\Windows\system32\YURFABA.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljJCvVPG.dll,#1
O4 - HKLM\..\Run: [\YUR7BE8.exe] C:\Windows\system32\YUR7BE8.exe
O4 - HKLM\..\Run: [f45aca6b] rundll32.exe "C:\Windows\system32\phkttaga.dll",b
O4 - HKLM\..\Run: [\YURC8C9.exe] C:\Windows\system32\YURC8C9.exe
O4 - HKLM\..\Run: [\YURC714.exe] C:\Windows\system32\YURC714.exe
O4 - HKLM\..\Run: [\YURC8B9.exe] C:\Windows\system32\YURC8B9.exe
O4 - HKLM\..\Run: [\YUR1C58.exe] C:\Windows\system32\YUR1C58.exe
O4 - HKLM\..\Run: [\YUR2F99.exe] C:\Windows\system32\YUR2F99.exe
O4 - HKCU\..\Run: [\YURF0B7.exe] C:\Windows\system32\YURF0B7.exe
O4 - HKCU\..\Run: [\YURF2AB.exe] C:\Windows\system32\YURF2AB.exe
O4 - HKCU\..\Run: [\YURF6F1.exe] C:\Windows\system32\YURF6F1.exe
O4 - HKCU\..\Run: [\YURFABA.exe] C:\Windows\system32\YURFABA.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKCU\..\Run: [\YUR7BE8.exe] C:\Windows\system32\YUR7BE8.exe
O4 - HKCU\..\Run: [\YURC8C9.exe] C:\Windows\system32\YURC8C9.exe
O4 - HKCU\..\Run: [\YURC714.exe] C:\Windows\system32\YURC714.exe
O4 - HKCU\..\Run: [\YURC8B9.exe] C:\Windows\system32\YURC8B9.exe
O4 - HKCU\..\Run: [\YUR1C58.exe] C:\Windows\system32\YUR1C58.exe
O4 - HKCU\..\Run: [\YUR2F99.exe] C:\Windows\system32\YUR2F99.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8331 bytes

i really apriciate this help guys

 

Hi chkinjoe,

Your Log shows a lot of infection….

Let’s do a little Pre-Cleaning, run ComboFix and Post some Logs so we can see what’s going on…


Pre-Clean:

Please download ATF Cleaner by Atribune & save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt


ComboFix:

1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.

3. Combo will begin to run DO NOTHING while this is happening.
• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt
Also, post the MBAM Log and a fresh HJT log in your next reply.



2OG

 

heres the logs i apriciate all of your help i think its off so far but the combo fix has made my system clock stuck in 24hr format

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:39, on 2008-09-23
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\mobsync.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\Windows\system32\pojabese.dll nbksph.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5842 bytes


ComboFix 08-09-20.05 - Theo Moor 2008-09-23 0:24:31.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.889 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\system32\1.ico
C:\Windows\system32\2.ico
C:\Windows\system32\agattkhp.ini
C:\Windows\system32\hwnhnree.ini
C:\Windows\system32\TDSSerrors.log
C:\Windows\System32\yspqrdjp.ini

----- BITS: Possible infected sites -----

http://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-22 23:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-08 00:11 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-08 00:11 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 16:03 . 2008-09-22 16:03 869,297 ---hs---- C:\Windows\System32\yspqrdjp.ini2
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-23 00:29 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 11:35 . 2008-09-22 11:35 53,248 --ahs---- C:\Windows\System32\khfDwxxw.dll
2008-09-22 11:32 . 2008-09-22 03:15 166,400 --a------ C:\Windows\System32\MicroAV.cpl
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-23 00:25 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-22 15:31 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-22 15:31 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-22 15:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-05 13:49 . 2008-09-05 13:49 970 --a------ C:\net_save.dna
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-08-30 09:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun
2008-08-23 21:05 . 2008-09-20 19:11 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-08-23 20:50 . 2008-08-23 20:53 <DIR> d-------- C:\Program Files\Java
2008-08-23 20:50 . 2008-08-23 20:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-23 20:19 . 2008-08-23 20:25 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 00:01 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-22 23:00 64,512 --sha-w C:\Windows\System32\pojabese.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\system32\pojabese.dll nbksph.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll

[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-09-22 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-09-22 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-09-22 41217]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-06-13 66848]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWICH;VSTHWICH;C:\Windows\system32\DRIVERS\VSTICH3.SYS [2006-11-02 242176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-buvuzodala - C:\Windows\system32\kejajumo.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Theo Moor\AppData\Roaming\Mozilla\Firefox\Profiles\uh8vkm3r.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\pojabese.dll

PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\pojabese.dll

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\pojabese.dll
.
Completion time: 2008-09-23 0:33:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-23 07:33:11

Pre-Run: 53,101,305,856 bytes free
Post-Run: 52,845,821,952 bytes free

343 --- E O F --- 2008-09-23 07:00:06

Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 6.0.6001 Service Pack 1

9/22/2008 11:48:49 PM
mbam-log-2008-09-22 (23-48-43).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 112706
Time elapsed: 2 hour(s), 40 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\cBSkljjK.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7f38bb8d-d665-4052-b23c-c251a32b8268} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7f38bb8d-d665-4052-b23c-c251a32b8268} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a455dbe0-d681-4784-aab2-4e8ff21ab5b9} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a455dbe0-d681-4784-aab2-4e8ff21ab5b9} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{429fd057-5063-4018-af29-4e31b1b5e44c} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{429fd057-5063-4018-af29-4e31b1b5e44c} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f77bbe3b-9c38-47f6-99d7-b79b453d0f50} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f77bbe3b-9c38-47f6-99d7-b79b453d0f50} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buvuzodala (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbskljjk -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbskljjk -> No action taken.

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> No action taken.

Files Infected:
C:\Windows\System32\cBSkljjK.dll (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\KjjlkSBc.ini (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\KjjlkSBc.ini2 (Trojan.Vundo.H) -> No action taken.
C:\Windows\system32\nbksph.dll (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\wejuwava.dll (Trojan.BHO.H) -> No action taken.
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\efCvuutS.dll (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z2SLYTJ\nd82m0[1] (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z2SLYTJ\upd105320[2] (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YB23S58A\cntr[1] (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00010f9b (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00011095 (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp000134f5 (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00016ced (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp0001b60c (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00021582 (Trojan.Vundo) -> No action taken.
C:\Windows\System32\opnlLDsQ.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\ddcCTmLd.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\nnnMfeEx.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> No action taken.
C:\Windows\System32\tdssl.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\tdssserf.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\tdssinit.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\tdssservers.dat (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\TDSSserv.sys (Trojan.Agent) -> No action taken.
C:\Windows\System32\kejajumo.dll (Trojan.Agent) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\lwpwer.exe (Trojan.FakeAlert) -> No action taken.

 

hehe the clock and other things will reset when we finish.

Not to worry

 

I also need a fresh HijackThis Log, please.

 

nevermind the HJT Log, I found it.. It's late

 

Hey chkinjoe,

It will take some time to go through the logs.

There’s a lot left to be removed and I am about dead right now so I will get some rest and hope to get a Fix to you by Tues. evening.

That way I won’t make mistakes..

2OG

 

Hey chkinjoe,

You have some very strange files that I cannot find any info on so instead of having to ask you about each one of them, let’s do a little more cleaning and just see if we can get rid of some of them.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.


Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.


Please post back with the SAS Log and a fresh HJT Log.

2OG

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/23/2008 at 07:18 PM

Application Version : 4.21.1004

Core Rules Database Version : 3578
Trace Rules Database Version: 1566

Scan type : Complete Scan
Total Scan Time : 00:54:27

Memory items scanned : 217
Memory threats detected : 0
Registry items scanned : 6477
Registry threats detected : 0
File items scanned : 88454
File threats detected : 9

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\1.ICO.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\2.ICO.VIR
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\1.ICO
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\2.ICO

Trojan.Dropper/Win-NV
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YUR7BE8.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURF0B7.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURF2AB.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURF6F1.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURFABA.EXE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:56 PM, on 9/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\Windows\system32\pojabese.dll nbksph.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5955 bytes

 

@chkinjoe,

Be sure to run HJT as Administrator:

Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)

O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s

O4 - HKUS\S-1-5-19\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s (User 'LOCAL SERVICE')

O20 - AppInit_DLLs: C:\Windows\system32\pojabese.dll nbksph.dll


IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis

Now let me know if you are having any problems??

2OG

 

even though i delete them in hjt they still keep comming back

O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)

O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s

 

Are you SURE you're running HJT as ADMINISTRATOR???

 

@chkinjoe,

If you are running HJT as admin. and those lines keep comming back, there may be a rootkit that didn't show up in the Logs.

Go ahead and follow the previous instructions and re-run ComboFix.

Maybe I'll be able to find something after SuperAntiSpyware deleted some things..

please post the new combofix log.

2OG

 

do i run combofix and SUPERAntiSpyware in safe mode?

 

No need to run SuperAntiSpyware again…
If you still have ComboFix on your desktop then skip downloading it again and go to instruction no.2

1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.

3. Combo will begin to run DO NOTHING while this is happening.
• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt

 

ComboFix 08-09-22.06 - Theo Moor 2008-09-23 22:06:43.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.962 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-23 22:10 . 2008-09-23 22:12 170,507,212 --a------ C:\Windows\MEMORY.DMP
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 17:55 . 2008-09-23 17:55 <DIR> d-------- C:\DRIVERS
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-22 23:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-08 00:11 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-08 00:11 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 16:03 . 2008-09-22 16:03 869,297 ---hs---- C:\Windows\System32\yspqrdjp.ini2
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-23 22:10 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 11:35 . 2008-09-22 11:35 53,248 --ahs---- C:\Windows\System32\khfDwxxw.dll
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-23 22:12 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-23 00:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-05 13:49 . 2008-09-05 13:49 970 --a------ C:\net_save.dna
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-08-30 09:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 05:10 170,507,212 ----a-w C:\Windows\DUMP4e00.tmp
2008-09-23 00:01 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-21 02:11 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-24 03:53 --------- d-----w C:\Program Files\Java
2008-08-24 03:50 --------- d-----w C:\Program Files\Common Files\Java
2008-08-24 03:25 --------- d-----w C:\Program Files\LimeWire
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 09:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-31 09:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-31 08:51 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-31 08:51 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:23 233,888 ----a-w C:\Windows\System32\DreamScene.dll
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:19 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2008-07-31 07:17 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:28 9,847,296 ----a-w C:\Windows\System32\NlsData000a.dll
2008-07-31 06:26 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-07-31 06:25 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-07-31 06:22 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 06:20 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-07-31 06:17 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-31 06:16 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-07-31 06:16 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-22 23:00 64,512 --sha-w C:\Windows\System32\pojabese.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-23_ 0.32.07.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 01:11:05 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 01:11:05 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-24 05:11:21 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-24 05:11:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:01:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008092320080924\index.dat
- 2008-09-23 07:29:15 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-24 05:10:51 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 07:24:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-24 05:06:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-09-23 06:56:50 106,796 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-24 04:51:40 106,796 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-23 06:56:50 611,788 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-24 04:51:40 611,788 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-22 22:19:50 6,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
+ 2008-09-24 01:06:23 6,856 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
- 2008-09-22 22:19:50 59,240 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 01:06:23 60,132 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 03:26:37 34,256 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 04:49:14 34,444 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{429fd057-5063-4018-af29-4e31b1b5e44c}]
C:\Windows\system32\wejuwava.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"buvuzodala"="C:\Windows\system32\kejajumo.dll" [BU]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\system32\pojabese.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll

[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-09-22 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-09-22 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-09-22 41217]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-06-13 66848]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWICH;VSTHWICH;C:\Windows\system32\DRIVERS\VSTICH3.SYS [2006-11-02 242176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Theo Moor\AppData\Roaming\Mozilla\Firefox\Profiles\uh8vkm3r.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\pojabese.dll

PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\pojabese.dll

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\pojabese.dll
.
Completion time: 2008-09-23 22:16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 05:16:19
ComboFix2.txt 2008-09-23 07:33:31

Pre-Run: 48,388,767,744 bytes free
Post-Run: 48,000,577,536 bytes free

393 --- E O F --- 2008-09-23 07:00:06

 

ComboFix 08-09-22.06 - Theo Moor 2008-09-23 22:06:43.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.962 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-23 22:10 . 2008-09-23 22:12 170,507,212 --a------ C:\Windows\MEMORY.DMP
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 17:55 . 2008-09-23 17:55 <DIR> d-------- C:\DRIVERS
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-22 23:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-08 00:11 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-08 00:11 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 16:03 . 2008-09-22 16:03 869,297 ---hs---- C:\Windows\System32\yspqrdjp.ini2
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-23 22:10 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 11:35 . 2008-09-22 11:35 53,248 --ahs---- C:\Windows\System32\khfDwxxw.dll
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-23 22:12 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-23 00:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-05 13:49 . 2008-09-05 13:49 970 --a------ C:\net_save.dna
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-08-30 09:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 05:10 170,507,212 ----a-w C:\Windows\DUMP4e00.tmp
2008-09-23 00:01 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-21 02:11 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-24 03:53 --------- d-----w C:\Program Files\Java
2008-08-24 03:50 --------- d-----w C:\Program Files\Common Files\Java
2008-08-24 03:25 --------- d-----w C:\Program Files\LimeWire
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 09:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-31 09:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-31 08:51 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-31 08:51 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:23 233,888 ----a-w C:\Windows\System32\DreamScene.dll
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:19 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2008-07-31 07:17 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:28 9,847,296 ----a-w C:\Windows\System32\NlsData000a.dll
2008-07-31 06:26 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-07-31 06:25 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-07-31 06:22 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 06:20 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-07-31 06:17 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-31 06:16 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-07-31 06:16 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-22 23:00 64,512 --sha-w C:\Windows\System32\pojabese.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-23_ 0.32.07.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 01:11:05 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 01:11:05 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-24 05:11:21 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-24 05:11:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:01:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008092320080924\index.dat
- 2008-09-23 07:29:15 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-24 05:10:51 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 07:24:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-24 05:06:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-09-23 06:56:50 106,796 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-24 04:51:40 106,796 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-23 06:56:50 611,788 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-24 04:51:40 611,788 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-22 22:19:50 6,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
+ 2008-09-24 01:06:23 6,856 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
- 2008-09-22 22:19:50 59,240 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 01:06:23 60,132 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 03:26:37 34,256 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 04:49:14 34,444 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{429fd057-5063-4018-af29-4e31b1b5e44c}]
C:\Windows\system32\wejuwava.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"buvuzodala"="C:\Windows\system32\kejajumo.dll" [BU]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\system32\pojabese.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll

[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-09-22 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-09-22 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-09-22 41217]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-06-13 66848]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWICH;VSTHWICH;C:\Windows\system32\DRIVERS\VSTICH3.SYS [2006-11-02 242176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Theo Moor\AppData\Roaming\Mozilla\Firefox\Profiles\uh8vkm3r.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\pojabese.dll

PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\pojabese.dll

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\pojabese.dll
.
Completion time: 2008-09-23 22:16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 05:16:19
ComboFix2.txt 2008-09-23 07:33:31

Pre-Run: 48,388,767,744 bytes free
Post-Run: 48,000,577,536 bytes free

393 --- E O F --- 2008-09-23 07:00:06

 

and im still getting the dll file error on startup saying cannot run kejajumo.dll

 

Thanks for the info – that helps.

I’ll keep digging and post a fix for you but please give me a little time to dig it all out.


Back as soon as I can..
2OG

 

@ chkinjoe,

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop




Referring to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

2OG