Virtumonde.dll ( what a biotch)

[themarsvolta55]

alright, so i recieved a virus from selfishly downloading a keygen for a prog.
and iv tried ALOT, mostly using spybot, doing the normal scan, trying to remove it,removing the BHO's, killing the process/module then once the module is killed ( either urqPjGyV.dll or ssqQKCuR.dll ) trying to use a file shredder and going into the system 32 folder and shredding it. iv also tried safemode, scanning, then cleaning it, doesnt work either

any help would be GREAT!!!!

jordan

 

[adarsh]

1. Please download the latest copy of HijackThis from Trend Micro and save it to your desktop.
2. Double click on HJTInstall.exe to install it. Click on Install. By default, it will install to C:\Program Files\Trend Micro\HijackThis.
3. Read through the License Agreement presented to you on the next screen and click on I Accept.
4. Once installed, HijackThis will start automatically. If it doesn't, please go to your desktop and double click on the HijackThis shortcut created there.
5. Select Do a system scan and save a logfile.
6. Close HijackThis.

Please post the contents of the post here for the experts to review and help you with the removal.
Note: Do not click on the AnalyzeThis button.

Do not fix any lines you see in HijackThis as most entries are harmless and needed for the normal functioning of Windows.

P.S :Please note that I will not be participating in your fix because I'm still under training. This is just to help the experts here and to save time.

 

[Punk]

Please post the Hijackthis log along with these logs:

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file from one of the three below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.forospyware.com/sUBs/ComboFix.exe
  http://subs.geekstogo.com/ComboFix.exe
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[alexyu]

nothing of these helped me when i had vundo
you should consider reinstalling os

 

[Punk]

nothing of these helped me when i had vundo
you should consider reinstalling os

Lol did you do it yourself or did you follow someone's fixes, someone who had fixed that infection before?

We've cleaned many virtumonde infections on this forum...

 

[themarsvolta55]

sorry- should of thought earlier and posted the hijack

-------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:49 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Desktop Lighter\DLighter.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [bc67c3f0] rundll32.exe "C:\WINDOWS\system32\bjioviqv.dll",b
O4 - HKLM\..\Run: [BMbf54f06c] Rundll32.exe "C:\WINDOWS\system32\usegsaif.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DLIGHTER] C:\Program Files\Desktop Lighter\DLighter.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4801 bytes

 

[Punk]

Please follow the instructions I posted earlier

 

[themarsvolta55]

vundo-fix didnt find anything (?)

and this is the log from combo fix...

---------------------------------------------------------
ComboFix 08-05-29.1 - Jordan 2008-06-01 10:47:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1161 [GMT -4:00]
Running from: C:\Documents and Settings\Jordan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbf54f06c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aeqlitfu.ini
C:\WINDOWS\system32\bjioviqv.dll
C:\WINDOWS\system32\ekhtfhmh.dll
C:\WINDOWS\system32\fMUtDcdd.ini
C:\WINDOWS\system32\fMUtDcdd.ini2
C:\WINDOWS\system32\gicwucxv.ini
C:\WINDOWS\system32\GQAyyccf.ini
C:\WINDOWS\system32\GQAyyccf.ini2
C:\WINDOWS\system32\jduyvobr.dll
C:\WINDOWS\system32\jwphvqde.dll
C:\WINDOWS\system32\lnWFNqss.ini
C:\WINDOWS\system32\lnWFNqss.ini2
C:\WINDOWS\system32\lojcnoja.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mTDfPqru.ini
C:\WINDOWS\system32\mTDfPqru.ini2
C:\WINDOWS\system32\qlkkcics.ini
C:\WINDOWS\system32\rbovyudj.ini
C:\WINDOWS\system32\RrBbdccf.ini
C:\WINDOWS\system32\RrBbdccf.ini2
C:\WINDOWS\system32\RuCKQqss.ini
C:\WINDOWS\system32\RuCKQqss.ini2
C:\WINDOWS\system32\scickklq.dll
C:\WINDOWS\system32\sjmmbote.exe
C:\WINDOWS\system32\uftilqea.dll
C:\WINDOWS\system32\usegsaif.dll
C:\WINDOWS\system32\vpbgglcw.exe
C:\WINDOWS\system32\vqivoijb.ini
C:\WINDOWS\system32\vxcuwcig.dll
C:\WINDOWS\system32\xdjeeggc.dll
C:\WINDOWS\system32\xpenpkxd.exe
C:\WINDOWS\system32\yGPWayay.ini
C:\WINDOWS\system32\yGPWayay.ini2
C:\WINDOWS\system32\ywtyljec.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 10:58 . 2008-06-01 10:58 373,248 --a------ C:\WINDOWS\system32\vtUlMfFU.dll
2008-06-01 10:58 . 2008-06-01 10:58 345 --ahs---- C:\WINDOWS\system32\UFfMlUtv.ini2
2008-06-01 10:58 . 2008-06-01 10:58 345 --ahs---- C:\WINDOWS\system32\UFfMlUtv.ini
2008-06-01 10:35 . 2008-06-01 10:35 <DIR> d-------- C:\VundoFix Backups
2008-06-01 00:36 . 2008-06-01 00:54 <DIR> d-------- C:\!KillBox
2008-05-31 12:54 . 2008-05-31 12:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 12:54 . 2008-05-31 12:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-31 00:51 . 373,248 C:\WINDOWS\system32\fccdbBrR.dll_old
2008-05-31 00:50 . 2008-05-31 00:50 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-29 22:35 . 2008-05-29 22:41 <DIR> d-------- C:\Program Files\CCleaner
2008-05-28 20:20 . 2008-05-28 20:20 <DIR> d-------- C:\Program Files\aKill
2008-05-28 19:59 . 2008-05-28 19:59 <DIR> d-------- C:\Program Files\Safer Networking
2008-05-28 19:53 . 2008-06-01 10:16 611 --a------ C:\WINDOWS\wininit.ini
2008-05-28 17:31 . 2008-05-29 00:13 <DIR> d-------- C:\Program Files\File Shredder
2008-05-28 17:20 . 2008-05-29 00:14 372,736 --a------ C:\WINDOWS\system32\23560491.dll_old
2008-05-28 17:16 . 2008-05-28 17:16 58,368 --a------ C:\WINDOWS\system32\cbXRKEvv.dll
2008-05-28 17:15 . 2008-05-28 17:15 58,368 --a------ C:\WINDOWS\system32\urqPjGyV.dll
2008-05-28 17:15 . 2008-05-28 17:15 58,368 --a------ C:\WINDOWS\system32\mlJCuuSJ.dll
2008-05-27 23:18 . 2008-05-27 23:18 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-05-27 13:26 . 2008-05-27 13:26 <DIR> d-------- C:\Program Files\LimeWire
2008-05-27 13:26 . 2008-05-28 17:20 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\LimeWire
2008-05-27 13:24 . 2008-05-27 13:24 <DIR> d-------- C:\WINDOWS\system32\SDA
2008-05-27 13:24 . 2008-05-27 13:24 <DIR> d-------- C:\Program Files\TOSHIBA
2008-05-26 12:14 . 2008-05-26 12:15 <DIR> d-------- C:\Program Files\FLAC
2008-05-26 11:35 . 2008-05-26 11:37 <DIR> d-------- C:\Program Files\Winamp
2008-05-26 11:35 . 2008-05-26 11:45 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Winamp
2008-05-23 00:02 . 2008-05-23 00:02 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-22 12:35 . 2008-05-23 00:03 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Ahead
2008-05-22 12:34 . 2008-05-22 12:34 <DIR> d-------- C:\Program Files\Nero
2008-05-22 12:34 . 2008-05-22 12:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-22 10:40 . 2008-05-22 10:40 <DIR> d-------- C:\Westwood
2008-05-17 18:33 . 2008-05-17 18:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-16 12:09 . 2008-05-16 12:09 <DIR> d-------- C:\Program Files\EA GAMES
2008-05-16 12:08 . 2008-05-16 12:08 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-16 12:08 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-16 12:04 . 2008-05-16 12:04 <DIR> d-------- C:\Program Files\MagicISO
2008-05-15 13:52 . 2008-06-01 00:35 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-14 18:45 . 2008-05-15 13:51 0 --a------ C:\WINDOWS\vpd.properties
2008-05-14 18:42 . 2008-05-14 18:42 <DIR> d-------- C:\Program Files\Sybase
2008-05-13 22:23 . 2008-05-13 22:23 <DIR> d-------- C:\Program Files\uTorrent
2008-05-13 22:22 . 2008-05-28 17:42 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\uTorrent
2008-05-12 20:08 . 2008-05-28 17:44 <DIR> d-------- C:\Program Files\Google
2008-05-11 02:09 . 2008-05-11 02:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 20:46 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-10 15:01 . 2008-05-10 15:01 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-10 15:01 . 2008-05-10 15:01 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-08 14:31 . 2005-06-10 22:02 12,800 --a------ C:\WINDOWS\system32\vncdrv.dll
2008-05-08 14:31 . 2004-06-26 13:22 6,016 --a------ C:\WINDOWS\system32\drivers\vnccom.SYS
2008-05-08 14:31 . 2004-06-26 13:21 5,760 --a------ C:\WINDOWS\system32\vnchelp.dll
2008-05-08 14:31 . 2004-06-26 13:22 4,736 --a------ C:\WINDOWS\system32\drivers\vncdrv.sys
2008-05-08 14:31 . 2008-05-08 14:31 44 --a------ C:\WINDOWS\system32\'
2008-05-08 03:00 . 2008-05-08 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-06 21:02 . 2008-05-06 21:05 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-05-06 21:02 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-06 21:02 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-06 21:01 . 2008-05-06 21:01 <DIR> d-------- C:\Program Files\MSBuild
2008-05-06 20:59 . 2008-05-06 20:59 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-06 20:59 . 2008-05-06 20:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-06 20:58 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-06 20:56 . 2008-05-06 21:06 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-06 20:56 . 2008-05-06 20:56 <DIR> d-------- C:\Program Files\Autodesk
2008-05-06 20:56 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Autodesk
2008-05-06 20:40 . 2008-05-06 20:40 <DIR> d-------- C:\install
2008-05-06 13:57 . 2008-05-06 13:57 <DIR> d-------- C:\WINDOWS\Sun
2008-05-06 13:57 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-06 13:56 . 2008-05-06 13:57 <DIR> d-------- C:\Program Files\Java
2008-05-06 13:49 . 2008-05-06 13:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 13:38 . 2008-05-06 13:38 <DIR> d-------- C:\Documents and Settings\Jordan\WINDOWS
2008-05-06 13:38 . 1995-09-02 15:57 269,312 --a------ C:\WINDOWS\uninst.exe
2008-05-04 12:58 . 2008-05-04 12:59 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-02 00:38 . 2008-05-10 20:47 <DIR> d-------- C:\Program Files\Desktop Lighter
2008-05-01 13:42 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-05-01 13:42 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-05-01 13:42 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-01 13:42 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 21:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 18:32 --------- d-----w C:\Program Files\Need for Speed Underground 2
2008-05-03 03:28 --------- d-----w C:\Program Files\Buddy Icon Maker
2008-05-03 03:10 --------- d-----w C:\Program Files\AIM6
2008-04-30 21:18 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-30 07:08 --------- d-----w C:\Documents and Settings\Jordan\Application Data\ATI
2008-04-30 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-04-30 03:27 --------- d-----w C:\Program Files\EphPod
2008-04-30 02:39 --------- d-----w C:\Program Files\Common Files\DirectX
2008-04-30 02:31 --------- d-----w C:\Program Files\DirectX 9.0c
2008-04-30 02:05 --------- d-----w C:\Program Files\Volumouse
2008-04-30 02:04 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-04-30 00:29 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-30 00:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 00:29 --------- d-----w C:\Program Files\Realtek
2008-04-30 00:23 --------- d-----w C:\Program Files\Infogrames
2008-04-30 00:13 --------- d-----w C:\Program Files\QuickTime
2008-04-30 00:13 --------- d-----w C:\Program Files\iTunes
2008-04-30 00:13 --------- d-----w C:\Program Files\iPod
2008-04-30 00:13 --------- d-----w C:\Program Files\Bonjour
2008-04-30 00:13 --------- d-----w C:\Documents and Settings\Jordan\Application Data\Apple Computer
2008-04-30 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-30 00:12 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-29 23:54 --------- d-----w C:\Documents and Settings\Jordan\Application Data\acccore
2008-04-29 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-29 23:53 --------- d-----w C:\Program Files\Colorizer
2008-04-29 23:51 --------- d-----w C:\Program Files\AIM FightList
2008-04-29 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-29 23:47 --------- d-----w C:\Documents and Settings\Jordan\Application Data\vlc
2008-04-29 23:46 --------- d-----w C:\Program Files\VideoLAN
2008-04-29 23:44 --------- d-----w C:\Program Files\Trend Micro
2008-04-29 23:37 --------- d-----w C:\Program Files\ATI
2008-04-29 23:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-29 23:36 --------- d-----w C:\Program Files\ATI Technologies
2008-04-29 23:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-29 23:08 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-17 20:33 4,707,328 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-10 20:52 16,861,184 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-04-02 13:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-03-29 01:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 22:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}]
2008-05-28 17:15 58368 --a------ C:\WINDOWS\system32\urqPjGyV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5170872F-A9BD-4D9E-9DF2-FF8E4CB503F3}]
2008-06-01 10:58 373248 --a------ C:\WINDOWS\system32\vtUlMfFU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E54863BA-42B9-447F-BD94-A50156215BD7}]
C:\WINDOWS\system32\fccdbBrR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]
"DLIGHTER"="C:\Program Files\Desktop Lighter\DLighter.exe" [2008-03-15 02:30 224768]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 18:38 307200]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 14:49 36352]
"BMbf54f06c"="C:\WINDOWS\system32\xniefnue.dll" [2008-06-01 11:02 126464]

C:\Documents and Settings\Jordan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-16 12:08:05 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\urqPjGyV.dll [2008-05-28 17:15 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqPjGyV]
urqPjGyV.dll 2008-05-28 17:15 58368 C:\WINDOWS\system32\urqPjGyV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtUlMfFU

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
S3 cpuz;cpuz;C:\DOCUME~1\Jordan\LOCALS~1\Temp\Rar$EX00.422\cpuz.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\readit\command - notepad readme.doc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 20:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-01 07:00:03 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 10:58:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\xniefnue.dll

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\urqPjGyV.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\xniefnue.dll
-> C:\WINDOWS\system32\vtUlMfFU.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-01 11:06:07 - machine was rebooted [Jordan]
ComboFix-quarantined-files.txt 2008-06-01 15:05:22

Pre-Run: 178,504,417,280 bytes free
Post-Run: 178,550,452,224 bytes free

286 --- E O F --- 2008-05-28 07:01:12

 

[Punk]

OK

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

• Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
• Click Format, and ensure Word Wrap is unchecked.
• Copy and Paste the text in the box below into Notepad.
• Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\vtUlMfFU.dll
C:\WINDOWS\system32\UFfMlUtv.ini2
C:\WINDOWS\system32\UFfMlUtv.ini
C:\WINDOWS\system32\fccdbBrR.dll_old
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\23560491.dll_old
C:\WINDOWS\system32\cbXRKEvv.dll
C:\WINDOWS\system32\urqPjGyV.dll
C:\WINDOWS\system32\mlJCuuSJ.dll
C:\WINDOWS\system32\xniefnue.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

• Check Load script from file:
• Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
• Double click it to enter it into Avenger.
• Click the green traffic light symbol.
• You will be asked if you want to execute the script, answer Yes.
• At this point you may get prompts from your protection systems, allow them please.
• Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
• Answer Yes, and allow your computer to re-boot.
• Upon re-boot a command window will briefly appear on screen (this is normal).
• A Notepad text file will be created C:\avenger.txt.
• Copy and Paste it into your next post please.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

 

[themarsvolta55]

here is my avenger
deckards will be posted shortly...

------------------------------------------------------
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\vtUlMfFU.dll" not found!
Deletion of file "C:\WINDOWS\system32\vtUlMfFU.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UFfMlUtv.ini2" deleted successfully.
File "C:\WINDOWS\system32\UFfMlUtv.ini" deleted successfully.

Error: file "C:\WINDOWS\system32\fccdbBrR.dll_old" not found!
Deletion of file "C:\WINDOWS\system32\fccdbBrR.dll_old" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\d3d8caps.dat" deleted successfully.
File "C:\WINDOWS\system32\23560491.dll_old" deleted successfully.
File "C:\WINDOWS\system32\cbXRKEvv.dll" deleted successfully.
File "C:\WINDOWS\system32\urqPjGyV.dll" deleted successfully.
File "C:\WINDOWS\system32\mlJCuuSJ.dll" deleted successfully.
File "C:\WINDOWS\system32\xniefnue.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

 

[themarsvolta55]

main txt

and heres deckards...


MAIN.TXT
----------------------------------------------------
Deckard's System Scanner v20071014.68
Run by Jordan on 2008-06-02 01:18:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
54: 2008-06-02 05:18:15 UTC - RP54 - Deckard's System Scanner Restore Point
53: 2008-06-01 15:01:04 UTC - RP53 - Last known good configuration
52: 2008-06-01 15:00:16 UTC - RP52 - ComboFix created restore point
51: 2008-06-01 15:00:15 UTC - RP51 - System Checkpoint
50: 2008-06-01 15:00:14 UTC - RP50 - System Checkpoint


-- First Restore Point --
1: 2008-06-01 14:58:31 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jordan.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:28 AM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Jordan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jordan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {166BCB27-FCFD-4588-9BDB-44FC6A02EF35} - C:\WINDOWS\system32\urqPjGyV.dll (file missing)
O2 - BHO: (no name) - {5170872F-A9BD-4D9E-9DF2-FF8E4CB503F3} - C:\WINDOWS\system32\vtUlMfFU.dll (file missing)
O2 - BHO: {a62de3d5-f1ac-1f8a-b1d4-8508abfddb86} - {68bddfba-8058-4d1b-a8f1-ca1f5d3ed26a} - C:\WINDOWS\system32\imwfesld.dll
O2 - BHO: (no name) - {E54863BA-42B9-447F-BD94-A50156215BD7} - C:\WINDOWS\system32\fccdbBrR.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BMbf54f06c] Rundll32.exe "C:\WINDOWS\system32\xniefnue.dll",s
O4 - HKLM\..\Run: [bc67c3f0] rundll32.exe "C:\WINDOWS\system32\gyyrtlox.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DLIGHTER] C:\Program Files\Desktop Lighter\DLighter.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: urqPjGyV - urqPjGyV.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5153 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080528-195537-115 O4 - HKLM\..\RunOnce: [SpybotDeletingC1913] cmd /c del "C:\WINDOWS\system32\ssqNFWnl.dll_old"
backup-20080528-195537-218 O4 - HKCU\..\RunOnce: [SpybotDeletingB5534] command /c del "C:\WINDOWS\system32\ssqNFWnl.dll_old"
backup-20080528-195537-313 O4 - HKLM\..\RunOnce: [SpybotDeletingA9023] command /c del "C:\WINDOWS\system32\ssqNFWnl.dll_old"
backup-20080528-195537-533 O4 - HKLM\..\RunOnce: [SpybotDeletingC6120] cmd /c del "C:\WINDOWS\system32\ssqNFWnl.dll"
backup-20080528-195537-678 O4 - HKLM\..\RunOnce: [SpybotDeletingA4936] command /c del "C:\WINDOWS\system32\ssqNFWnl.dll"
backup-20080528-195537-752 O4 - HKCU\..\RunOnce: [SpybotDeletingD5310] cmd /c del "C:\WINDOWS\system32\ssqNFWnl.dll"
backup-20080528-195537-886 O4 - HKCU\..\RunOnce: [SpybotDeletingD7881] cmd /c del "C:\WINDOWS\system32\ssqNFWnl.dll_old"
backup-20080528-195537-929 O4 - HKCU\..\RunOnce: [SpybotDeletingB1000] command /c del "C:\WINDOWS\system32\ssqNFWnl.dll"

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - C:\WINDOWS\system32\notepad.exe "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 cpuz - c:\docume~1\jordan\locals~1\temp\rar$ex00.422\cpuz.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_FF001179&REV_01\4&1B08A035&0&0030
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_FF001179&REV_01\4&1B08A035&0&0030
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF001179&REV_00\4&B216F0A&0&22A4
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF001179&REV_00\4&B216F0A&0&22A4
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS1900\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1900\2&DABA3FF&0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-01 03:00:03 290 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-05-26 16:48:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-01 11:08:57 114176 --a------ C:\WINDOWS\system32\gyyrtlox.dll
2008-06-01 11:06:18 132096 --a------ C:\WINDOWS\system32\imwfesld.dll
2008-06-01 11:04:21 2560 --a------ C:\WINDOWS\system32\abllqeka.exe
2008-06-01 10:37:03 68096 --a------ C:\WINDOWS\zip.exe
2008-06-01 10:37:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-01 10:37:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-01 10:37:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-01 10:37:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-01 10:37:03 98816 --a------ C:\WINDOWS\sed.exe
2008-06-01 10:37:03 80412 --a------ C:\WINDOWS\grep.exe
2008-06-01 10:37:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-01 10:35:57 0 d-------- C:\VundoFix Backups
2008-06-01 00:36:06 0 d-------- C:\!KillBox
2008-05-30 12:39:33 0 dr-h----- C:\Documents and Settings\Jordan\Recent
2008-05-30 12:27:49 0 d--hs---- C:\WINDOWS\CSC
2008-05-29 22:35:57 0 d-------- C:\Program Files\CCleaner
2008-05-29 22:21:17 0 d-------- C:\WINDOWS\pss
2008-05-28 20:20:13 0 d-------- C:\Program Files\aKill
2008-05-28 19:59:31 0 d-------- C:\Program Files\Safer Networking
2008-05-28 17:31:48 0 d-------- C:\Program Files\File Shredder
2008-05-28 17:20:55 3145728 --a------ C:\Documents and Settings\Jordan\ntuser.dat
2008-05-27 13:26:39 0 d-------- C:\Documents and Settings\Jordan\Application Data\LimeWire
2008-05-27 13:26:30 0 d-------- C:\Program Files\LimeWire
2008-05-27 13:24:46 0 d-------- C:\WINDOWS\system32\SDA
2008-05-27 13:24:46 0 d-------- C:\Program Files\TOSHIBA
2008-05-26 12:14:45 0 d-------- C:\Program Files\FLAC
2008-05-26 11:35:49 0 d-------- C:\WINDOWS\RegisteredPackages
2008-05-26 11:35:07 0 d-------- C:\Program Files\Winamp
2008-05-26 11:35:07 0 d-------- C:\Documents and Settings\Jordan\Application Data\Winamp
2008-05-22 12:35:29 0 d-------- C:\Documents and Settings\Jordan\Application Data\Ahead
2008-05-22 12:34:15 0 d-------- C:\Program Files\Nero
2008-05-22 12:34:15 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-22 10:40:29 0 d-------- C:\Westwood
2008-05-17 18:33:34 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-16 12:09:03 0 d-------- C:\Program Files\EA GAMES
2008-05-16 12:08:05 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-05-16 12:08:05 0 d-------- C:\Program Files\MagicDisc
2008-05-16 12:04:25 0 d-------- C:\Program Files\MagicISO
2008-05-15 13:52:05 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-14 18:42:44 0 d-------- C:\Program Files\Sybase
2008-05-13 22:23:02 0 d-------- C:\Program Files\uTorrent
2008-05-13 22:22:53 0 d-------- C:\Documents and Settings\Jordan\Application Data\uTorrent
2008-05-12 20:12:03 0 d-------- C:\Documents and Settings\Jordan\Application Data\Google
2008-05-12 20:08:16 0 d-------- C:\Program Files\Google
2008-05-11 02:09:03 0 d-------- C:\Program Files\Apple Software Update
2008-05-10 15:01:04 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-10 15:01:00 0 d-------- C:\Program Files\Red Kawa
2008-05-08 14:31:52 44 --a------ C:\WINDOWS\system32\'
2008-05-08 14:31:24 5760 --a------ C:\WINDOWS\system32\vnchelp.dll <Not Verified; RDV Soft; UltraVnc Kernel>
2008-05-08 03:00:45 0 d-------- C:\Program Files\MSXML 6.0
2008-05-06 21:02:52 0 d-------- C:\Program Files\AutoCAD 2009
2008-05-06 21:02:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-06 21:01:29 0 d-------- C:\Program Files\MSBuild
2008-05-06 20:59:45 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-05-06 20:59:09 0 d-------- C:\Program Files\Reference Assemblies
2008-05-06 20:56:57 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-06 20:56:57 0 d-------- C:\Program Files\Autodesk
2008-05-06 20:56:57 0 d-------- C:\Documents and Settings\Jordan\Application Data\Autodesk
2008-05-06 20:40:49 0 d-------- C:\install
2008-05-06 13:57:44 0 d-------- C:\WINDOWS\Sun
2008-05-06 13:57:44 0 d-------- C:\Documents and Settings\Jordan\Application Data\Sun
2008-05-06 13:56:49 0 d-------- C:\Program Files\Java
2008-05-06 13:49:15 0 d-------- C:\Program Files\Common Files\Java
2008-05-06 13:38:27 269312 --a------ C:\WINDOWS\uninst.exe <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>
2008-05-06 13:38:27 0 d-------- C:\Documents and Settings\Jordan\WINDOWS
2008-05-04 12:58:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-04 12:58:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-02 00:38:03 0 d-------- C:\Program Files\Desktop Lighter


-- Find3M Report ---------------------------------------------------------------

2008-05-22 12:34:15 0 d-------- C:\Program Files\Common Files
2008-05-15 15:15:31 0 d-------- C:\Documents and Settings\Jordan\Application Data\Mozilla
2008-05-14 14:32:30 0 d-------- C:\Program Files\Need for Speed Underground 2
2008-05-04 12:59:53 0 d-------- C:\Documents and Settings\Jordan\Application Data\Adobe
2008-05-02 23:28:05 0 d-------- C:\Program Files\Buddy Icon Maker
2008-05-02 23:10:41 0 d-------- C:\Program Files\AIM6
2008-04-30 22:55:35 0 d-------- C:\Program Files\Messenger
2008-04-30 17:18:37 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-30 03:08:02 0 d-------- C:\Documents and Settings\Jordan\Application Data\ATI
2008-04-29 23:27:32 0 d-------- C:\Program Files\EphPod
2008-04-29 22:39:26 0 d-------- C:\Program Files\Common Files\DirectX
2008-04-29 22:31:32 0 d-------- C:\Program Files\DirectX 9.0c
2008-04-29 22:05:32 0 d-------- C:\Program Files\Volumouse
2008-04-29 22:04:57 39424 --a------ C:\WINDOWS\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-04-29 20:29:42 0 d-------- C:\Program Files\Realtek
2008-04-29 20:29:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-29 20:29:37 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-29 20:23:14 0 d-------- C:\Program Files\Infogrames
2008-04-29 20:14:51 0 d-------- C:\Documents and Settings\Jordan\Application Data\Macromedia
2008-04-29 20:14:48 1169 --a------ C:\WINDOWS\mozver.dat
2008-04-29 20:13:33 0 d-------- C:\Documents and Settings\Jordan\Application Data\Apple Computer
2008-04-29 20:13:29 0 d-------- C:\Program Files\iTunes
2008-04-29 20:13:21 0 d-------- C:\Program Files\iPod
2008-04-29 20:13:06 0 d-------- C:\Program Files\Bonjour
2008-04-29 20:13:00 0 d-------- C:\Program Files\QuickTime
2008-04-29 20:12:03 0 d-------- C:\Program Files\Common Files\Apple
2008-04-29 20:08:28 0 d-------- C:\Documents and Settings\Jordan\Application Data\WinRAR
2008-04-29 19:54:04 0 d-------- C:\Documents and Settings\Jordan\Application Data\acccore
2008-04-29 19:53:08 0 d-------- C:\Program Files\Colorizer
2008-04-29 19:51:42 0 d-------- C:\Program Files\AIM FightList
2008-04-29 19:47:08 0 d-------- C:\Documents and Settings\Jordan\Application Data\vlc
2008-04-29 19:46:36 0 d-------- C:\Program Files\VideoLAN
2008-04-29 19:44:40 0 d-------- C:\Program Files\Trend Micro
2008-04-29 19:38:00 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-29 19:37:09 0 d-------- C:\Program Files\ATI
2008-04-29 19:36:54 0 d-------- C:\Program Files\ATI Technologies
2008-04-29 19:36:30 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-29 19:33:37 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-29 19:13:16 0 d-------- C:\Documents and Settings\Jordan\Application Data\Identities
2008-04-29 19:08:13 0 d-------- C:\Program Files\microsoft frontpage
2008-04-29 19:07:53 0 -rahs---- C:\MSDOS.SYS
2008-04-29 19:07:53 0 -rahs---- C:\IO.SYS
2008-04-29 19:07:53 0 --a------ C:\CONFIG.SYS
2008-04-29 19:07:53 0 --a------ C:\AUTOEXEC.BAT
2008-04-29 19:06:32 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-29 19:04:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-29 19:04:12 0 d-------- C:\Program Files\Movie Maker
2008-04-29 19:02:41 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-29 19:02:10 0 d-------- C:\Program Files\Online Services
2008-04-29 19:01:52 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-29 19:01:34 0 d-------- C:\Program Files\Windows NT
2008-04-29 12:19:46 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-29 12:19:39 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-29 12:18:51 62 --ahs---- C:\Documents and Settings\Jordan\Application Data\desktop.ini
2008-03-28 21:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-05 18:07:48 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}]
C:\WINDOWS\system32\urqPjGyV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5170872F-A9BD-4D9E-9DF2-FF8E4CB503F3}]
C:\WINDOWS\system32\vtUlMfFU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68bddfba-8058-4d1b-a8f1-ca1f5d3ed26a}]
06/01/2008 11:06 AM 132096 --a------ C:\WINDOWS\system32\imwfesld.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E54863BA-42B9-447F-BD94-A50156215BD7}]
C:\WINDOWS\system32\fccdbBrR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [02/21/2006 09:05 PM C:\WINDOWS\system32\atiptaxx.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [10/04/2007 06:38 PM]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [01/28/2008 11:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"RTHDCPL"="RTHDCPL.EXE" [04/10/2008 04:52 PM C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/01/2008 02:49 PM]
"BMbf54f06c"="C:\WINDOWS\system32\xniefnue.dll" []
"bc67c3f0"="C:\WINDOWS\system32\gyyrtlox.dll" [06/01/2008 11:08 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM]
"DLIGHTER"="C:\Program Files\Desktop Lighter\DLighter.exe" [03/15/2008 02:30 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [09/03/2005 03:18 PM]

C:\Documents and Settings\Jordan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [5/16/2008 12:08:05 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\urqPjGyV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqPjGyV]
urqPjGyV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUlMfFU


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autorun.exe
readit\command- notepad readme.doc




-- End of Deckard's System Scanner: finished at 2008-06-02 01:19:53 ------------

 

[themarsvolta55]

extra txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion(tm) 64 X2 Mobile Technology TL-56
CPU 1: AMD Turion(tm) 64 X2 Mobile Technology TL-56
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 1917.97 MiB / 1487.82 MiB
Pagefile Memory (total/avail): 3811.19 MiB / 3498.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.23 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 166.25 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - FUJITSU MHX2250BT - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jordan\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JORGAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jordan
LOGONSERVER=\\JORGAN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 72 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4802
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jordan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jordan\LOCALS~1\Temp
USERDOMAIN=JORGAN
USERNAME=Jordan
USERPROFILE=C:\Documents and Settings\Jordan
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Jordan (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
@Kill rel. 1.0 --> "C:\Program Files\aKill\unins000.exe"
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AIM Fight List 1.0.0.1 --> C:\PROGRA~1\AIMFIG~1\UNWISE.EXE C:\PROGRA~1\AIMFIG~1\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Catalyst Registration --> MsiExec.exe /X{72736F5F-520D-472A-88CC-7B02872FD34E}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean
AutoCAD 2009 - English --> C:\Program Files\AutoCAD 2009\Setup\Setup.exe /P {5783F2D7-7001-0409-0002-0060B0CE6BBA} /M ACAD
Autodesk Design Review 2009 --> C:\Program Files\Autodesk\Autodesk Design Review\Setup\Setup.exe /P {450063AA-643B-417C-8CF5-405BA3F4EF40} /M ADR
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Buddy Icon Maker 1.0.0.1 --> C:\PROGRA~1\BUDDYI~1\UNWISE.EXE C:\PROGRA~1\BUDDYI~1\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Colorizer 1.0.0.1 --> C:\PROGRA~1\COLORI~1\UNWISE.EXE C:\PROGRA~1\COLORI~1\INSTALL.LOG
Emperor: Battle For Dune --> C:\Westwood\Emperor\Uninstll.EXE
EphPod --> C:\PROGRA~1\EphPod\UNWISE.EXE C:\PROGRA~1\EphPod\INSTALL.LOG
File Shredder 2.0 --> "C:\Program Files\File Shredder\unins000.exe"
FileAlyzer --> "C:\Program Files\Safer Networking\FileAlyzer\unins000.exe"
FLAC 1.2.1b (remove only) --> C:\Program Files\FLAC\uninstall.exe
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
Magic ISO Maker v5.4 (build 0256) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.6.93 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox 3 Beta 5\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Need for Speed - Most Wanted v1.3 ( RE ) --> MsiExec.exe /I{7CD9421E-4FDF-4833-A5F0-1F0FAB476629}
Need for Speed Underground 2 --> MsiExec.exe /I{FB3E968E-E1C0-45E1-B0E9-1471669C22F6}
Nero 7 Premium --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RollerCoaster Tycoon 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TOSHIBA SD Memory Utilities --> MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Videora iPod Converter 3.07 --> C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Volumouse --> C:\WINDOWS\zipinst.exe /uninst "C:\Program Files\Volumouse\uninst1~.nsu"
Westwood Shared Internet Components --> C:\Westwood\Internet\UnstllAP.EXE
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type371 / Error
Event Submitted/Written: 06/01/2008 10:18:04 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type360 / Error
Event Submitted/Written: 05/30/2008 05:04:01 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application taskmgr.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x771b52b6.
Processing media-specific event for [taskmgr.exe!ws!]

Event Record #/Type355 / Error
Event Submitted/Written: 05/29/2008 01:35:15 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 249596275.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type354 / Error
Event Submitted/Written: 05/29/2008 01:35:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000383a.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type352 / Error
Event Submitted/Written: 05/29/2008 01:25:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application taskmgr.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x771b52b6.
Processing media-specific event for [taskmgr.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1291 / Warning
Event Submitted/Written: 06/02/2008 00:37:05 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1255 / Warning
Event Submitted/Written: 06/01/2008 02:32:23 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1246 / Warning
Event Submitted/Written: 05/31/2008 11:16:46 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1222 / Error
Event Submitted/Written: 05/31/2008 00:51:44 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type1221 / Error
Event Submitted/Written: 05/31/2008 11:49:28 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service iPod Service with arguments ""
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}



-- End of Deckard's System Scanner: finished at 2008-06-02 01:19:53 ------------

 

[themarsvolta55]

performance through my computer has greatly increased, seems like most of the .dlls are deleted, but my internet browsing def is not the same like it used to. some websites i can surf fine on, but others just dont load( pretty sure its my computer and not their server)

 

[Punk]

• Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
• Click Format, and ensure Word Wrap is unchecked.
• Copy and Paste the text in the box below into Notepad.
• Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\imwfesld.dll
C:\WINDOWS\system32\gyyrtlox.dll
C:\WINDOWS\system32\imwfesld.dll
C:\WINDOWS\system32\abllqeka.exe
C:\WINDOWS\VFind.exe
C:\WINDOWS\swxcacls.exe
C:\WINDOWS\swsc.exe
C:\WINDOWS\swreg.exe
C:\WINDOWS\sed.exe
C:\WINDOWS\fdsv.exe
C:\WINDOWS\system32\xniefnue.dll
C:\WINDOWS\system32\gyyrtlox.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

• Check Load script from file:
• Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
• Double click it to enter it into Avenger.
• Click the green traffic light symbol.
• You will be asked if you want to execute the script, answer Yes.
• At this point you may get prompts from your protection systems, allow them please.
• Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
• Answer Yes, and allow your computer to re-boot.
• Upon re-boot a command window will briefly appear on screen (this is normal).
• A Notepad text file will be created C:\avenger.txt.
• Copy and Paste it into your next post please.

Open Hijackthis and do a system scan only.

Place a checkmark next to those lines:

O2 - BHO: (no name) - {166BCB27-FCFD-4588-9BDB-44FC6A02EF35} - C:\WINDOWS\system32\urqPjGyV.dll (file missing)
O2 - BHO: (no name) - {5170872F-A9BD-4D9E-9DF2-FF8E4CB503F3} - C:\WINDOWS\system32\vtUlMfFU.dll (file missing)
O2 - BHO: {a62de3d5-f1ac-1f8a-b1d4-8508abfddb86} - {68bddfba-8058-4d1b-a8f1-ca1f5d3ed26a} - C:\WINDOWS\system32\imwfesld.dll
O2 - BHO: (no name) - {E54863BA-42B9-447F-BD94-A50156215BD7} - C:\WINDOWS\system32\fccdbBrR.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [BMbf54f06c] Rundll32.exe "C:\WINDOWS\system32\xniefnue.dll",s
O4 - HKLM\..\Run: [bc67c3f0] rundll32.exe "C:\WINDOWS\system32\gyyrtlox.dll",b
O20 - Winlogon Notify: urqPjGyV - urqPjGyV.dll (file missing)

Click on Fix and post a fresh Hijackthis log.

How is your computer running now? The internet problem might be coming from the Virtumonde infection, downloading new DLLs ad taking your connection.

 

[themarsvolta55]

wowezzzzzzz it worked! just did a spybot scan, found nothing, looked at bho's found nothing!!

punk, thanks a HELL of a lot, without you i prob would of low-balled and reinstalled my OS

when computers run normal, its amazing! haha

 

[Punk]

wowezzzzzzz it worked! just did a spybot scan, found nothing, looked at bho's found nothing!!

punk, thanks a HELL of a lot, without you i prob would of low-balled and reinstalled my OS

when computers run normal, its amazing! haha

No problem glad I could help

Can you post a new Deckard's System Scanner (DSS) log to make sure we got rid of everything? One file still on your computer could download it back...

 

[themarsvolta55]

main txt

Deckard's System Scanner v20071014.68
Run by Jordan on 2008-06-02 17:49:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jordan.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:35, on 2008-06-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Documents and Settings\Jordan\My Documents\virus progs\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jordan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BMbf54f06c] Rundll32.exe "C:\WINDOWS\system32\xniefnue.dll",s
O4 - HKLM\..\Run: [bc67c3f0] rundll32.exe "C:\WINDOWS\system32\gyyrtlox.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DLIGHTER] C:\Program Files\Desktop Lighter\DLighter.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: urqPjGyV - urqPjGyV.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5080 bytes

-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-01 11:08:57 114176 --a------ C:\WINDOWS\system32\gyyrtlox.dll
2008-06-01 11:06:18 132096 --a------ C:\WINDOWS\system32\imwfesld.dll
2008-06-01 11:04:21 2560 --a------ C:\WINDOWS\system32\abllqeka.exe
2008-06-01 10:37:03 68096 --a------ C:\WINDOWS\zip.exe
2008-06-01 10:37:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-01 10:37:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-01 10:37:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-01 10:37:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-01 10:37:03 98816 --a------ C:\WINDOWS\sed.exe
2008-06-01 10:37:03 80412 --a------ C:\WINDOWS\grep.exe
2008-06-01 10:37:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-01 10:35:57 0 d-------- C:\VundoFix Backups
2008-06-01 00:36:06 0 d-------- C:\!KillBox
2008-05-30 12:39:33 0 dr-h----- C:\Documents and Settings\Jordan\Recent
2008-05-30 12:27:49 0 d--hs---- C:\WINDOWS\CSC
2008-05-29 22:35:57 0 d-------- C:\Program Files\CCleaner
2008-05-29 22:21:17 0 d-------- C:\WINDOWS\pss
2008-05-28 20:20:13 0 d-------- C:\Program Files\aKill
2008-05-28 19:59:31 0 d-------- C:\Program Files\Safer Networking
2008-05-28 17:31:48 0 d-------- C:\Program Files\File Shredder
2008-05-28 17:20:55 3145728 --a------ C:\Documents and Settings\Jordan\ntuser.dat
2008-05-27 13:26:39 0 d-------- C:\Documents and Settings\Jordan\Application Data\LimeWire
2008-05-27 13:26:30 0 d-------- C:\Program Files\LimeWire
2008-05-27 13:24:46 0 d-------- C:\WINDOWS\system32\SDA
2008-05-27 13:24:46 0 d-------- C:\Program Files\TOSHIBA
2008-05-26 12:14:45 0 d-------- C:\Program Files\FLAC
2008-05-26 11:35:49 0 d-------- C:\WINDOWS\RegisteredPackages
2008-05-26 11:35:07 0 d-------- C:\Program Files\Winamp
2008-05-26 11:35:07 0 d-------- C:\Documents and Settings\Jordan\Application Data\Winamp
2008-05-22 12:35:29 0 d-------- C:\Documents and Settings\Jordan\Application Data\Ahead
2008-05-22 12:34:15 0 d-------- C:\Program Files\Nero
2008-05-22 12:34:15 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-22 10:40:29 0 d-------- C:\Westwood
2008-05-17 18:33:34 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-16 12:15:54 0 d-------- C:\Program Files\Need for Speed - Most Wanted Shortcuts
2008-05-16 12:09:03 0 d-------- C:\Program Files\EA GAMES
2008-05-16 12:08:05 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-05-16 12:08:05 0 d-------- C:\Program Files\MagicDisc
2008-05-16 12:04:25 0 d-------- C:\Program Files\MagicISO
2008-05-15 13:52:05 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-14 18:42:44 0 d-------- C:\Program Files\Sybase
2008-05-13 22:23:02 0 d-------- C:\Program Files\uTorrent
2008-05-13 22:22:53 0 d-------- C:\Documents and Settings\Jordan\Application Data\uTorrent
2008-05-12 20:12:03 0 d-------- C:\Documents and Settings\Jordan\Application Data\Google
2008-05-12 20:08:16 0 d-------- C:\Program Files\Google
2008-05-11 02:09:03 0 d-------- C:\Program Files\Apple Software Update
2008-05-10 15:01:04 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-10 15:01:00 0 d-------- C:\Program Files\Red Kawa
2008-05-08 14:31:52 44 --a------ C:\WINDOWS\system32\'
2008-05-08 14:31:24 5760 --a------ C:\WINDOWS\system32\vnchelp.dll <Not Verified; RDV Soft; UltraVnc Kernel>
2008-05-08 03:00:45 0 d-------- C:\Program Files\MSXML 6.0
2008-05-06 21:02:52 0 d-------- C:\Program Files\AutoCAD 2009
2008-05-06 21:02:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-06 21:01:29 0 d-------- C:\Program Files\MSBuild
2008-05-06 20:59:45 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-05-06 20:59:09 0 d-------- C:\Program Files\Reference Assemblies
2008-05-06 20:56:57 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-06 20:56:57 0 d-------- C:\Program Files\Autodesk
2008-05-06 20:56:57 0 d-------- C:\Documents and Settings\Jordan\Application Data\Autodesk
2008-05-06 20:40:49 0 d-------- C:\install
2008-05-06 13:57:44 0 d-------- C:\WINDOWS\Sun
2008-05-06 13:57:44 0 d-------- C:\Documents and Settings\Jordan\Application Data\Sun
2008-05-06 13:56:49 0 d-------- C:\Program Files\Java
2008-05-06 13:49:15 0 d-------- C:\Program Files\Common Files\Java
2008-05-06 13:38:27 269312 --a------ C:\WINDOWS\uninst.exe <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>
2008-05-06 13:38:27 0 d-------- C:\Documents and Settings\Jordan\WINDOWS
2008-05-04 12:58:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-04 12:58:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-02 00:38:03 0 d-------- C:\Program Files\Desktop Lighter


-- Find3M Report ---------------------------------------------------------------

2008-06-02 13:25:27 0 d-------- C:\Program Files\Need for Speed Underground 2
2008-05-22 12:34:15 0 d-------- C:\Program Files\Common Files
2008-05-15 15:15:31 0 d-------- C:\Documents and Settings\Jordan\Application Data\Mozilla
2008-05-04 12:59:53 0 d-------- C:\Documents and Settings\Jordan\Application Data\Adobe
2008-05-02 23:28:05 0 d-------- C:\Program Files\Buddy Icon Maker
2008-05-02 23:10:41 0 d-------- C:\Program Files\AIM6
2008-04-30 22:55:35 0 d-------- C:\Program Files\Messenger
2008-04-30 17:18:37 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-30 03:08:02 0 d-------- C:\Documents and Settings\Jordan\Application Data\ATI
2008-04-29 23:27:32 0 d-------- C:\Program Files\EphPod
2008-04-29 22:39:26 0 d-------- C:\Program Files\Common Files\DirectX
2008-04-29 22:31:32 0 d-------- C:\Program Files\DirectX 9.0c
2008-04-29 22:05:32 0 d-------- C:\Program Files\Volumouse
2008-04-29 22:04:57 39424 --a------ C:\WINDOWS\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-04-29 20:29:42 0 d-------- C:\Program Files\Realtek
2008-04-29 20:29:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-29 20:29:37 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-29 20:23:14 0 d-------- C:\Program Files\Infogrames
2008-04-29 20:14:51 0 d-------- C:\Documents and Settings\Jordan\Application Data\Macromedia
2008-04-29 20:14:48 1169 --a------ C:\WINDOWS\mozver.dat
2008-04-29 20:13:33 0 d-------- C:\Documents and Settings\Jordan\Application Data\Apple Computer
2008-04-29 20:13:29 0 d-------- C:\Program Files\iTunes
2008-04-29 20:13:21 0 d-------- C:\Program Files\iPod
2008-04-29 20:13:06 0 d-------- C:\Program Files\Bonjour
2008-04-29 20:13:00 0 d-------- C:\Program Files\QuickTime
2008-04-29 20:12:03 0 d-------- C:\Program Files\Common Files\Apple
2008-04-29 20:08:28 0 d-------- C:\Documents and Settings\Jordan\Application Data\WinRAR
2008-04-29 19:54:04 0 d-------- C:\Documents and Settings\Jordan\Application Data\acccore
2008-04-29 19:53:08 0 d-------- C:\Program Files\Colorizer
2008-04-29 19:51:42 0 d-------- C:\Program Files\AIM FightList
2008-04-29 19:47:08 0 d-------- C:\Documents and Settings\Jordan\Application Data\vlc
2008-04-29 19:46:36 0 d-------- C:\Program Files\VideoLAN
2008-04-29 19:44:40 0 d-------- C:\Program Files\Trend Micro
2008-04-29 19:38:00 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-29 19:37:09 0 d-------- C:\Program Files\ATI
2008-04-29 19:36:54 0 d-------- C:\Program Files\ATI Technologies
2008-04-29 19:36:30 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-29 19:33:37 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-29 19:13:16 0 d-------- C:\Documents and Settings\Jordan\Application Data\Identities
2008-04-29 19:08:13 0 d-------- C:\Program Files\microsoft frontpage
2008-04-29 19:07:53 0 -rahs---- C:\MSDOS.SYS
2008-04-29 19:07:53 0 -rahs---- C:\IO.SYS
2008-04-29 19:07:53 0 --a------ C:\CONFIG.SYS
2008-04-29 19:07:53 0 --a------ C:\AUTOEXEC.BAT
2008-04-29 19:06:32 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-29 19:04:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-29 19:04:12 0 d-------- C:\Program Files\Movie Maker
2008-04-29 19:02:41 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-29 19:02:10 0 d-------- C:\Program Files\Online Services
2008-04-29 19:01:52 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-29 19:01:34 0 d-------- C:\Program Files\Windows NT
2008-04-29 12:19:46 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-29 12:19:39 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-29 12:18:51 62 --ahs---- C:\Documents and Settings\Jordan\Application Data\desktop.ini
2008-03-28 21:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-05 18:07:48 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-21 09:05 C:\WINDOWS\system32\atiptaxx.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17]
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 06:38]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 11:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 04:52 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 10:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 02:49]
"BMbf54f06c"="C:\WINDOWS\system32\xniefnue.dll" []
"bc67c3f0"="C:\WINDOWS\system32\gyyrtlox.dll" [2008-06-01 11:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 04:21]
"DLIGHTER"="C:\Program Files\Desktop Lighter\DLighter.exe" [2008-03-15 02:30]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 03:18]

C:\Documents and Settings\Jordan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-16 12:08:05 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\urqPjGyV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqPjGyV]
urqPjGyV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUlMfFU

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autorun.exe
readit\command- notepad readme.doc




-- End of Deckard's System Scanner: finished at 2008-06-02 17:49:54 ------------

 

[Punk]

Have you fixed the line I asked you earlier?

Open Hijackthis and do a system scan only.

Place a checkmark next to those lines:

O2 - BHO: (no name) - {166BCB27-FCFD-4588-9BDB-44FC6A02EF35} - C:\WINDOWS\system32\urqPjGyV.dll (file missing)
O2 - BHO: (no name) - {5170872F-A9BD-4D9E-9DF2-FF8E4CB503F3} - C:\WINDOWS\system32\vtUlMfFU.dll (file missing)
O2 - BHO: {a62de3d5-f1ac-1f8a-b1d4-8508abfddb86} - {68bddfba-8058-4d1b-a8f1-ca1f5d3ed26a} - C:\WINDOWS\system32\imwfesld.dll
O2 - BHO: (no name) - {E54863BA-42B9-447F-BD94-A50156215BD7} - C:\WINDOWS\system32\fccdbBrR.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [BMbf54f06c] Rundll32.exe "C:\WINDOWS\system32\xniefnue.dll",s
O4 - HKLM\..\Run: [bc67c3f0] rundll32.exe "C:\WINDOWS\system32\gyyrtlox.dll",b
O20 - Winlogon Notify: urqPjGyV - urqPjGyV.dll (file missing)

Click on Fix and post a fresh Hijackthis log.

 

[themarsvolta55]

sry bout that
the BHO's are gone, i got rid of them through spybot...correct?

---------------------------------------------------
new hijack


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:07, on 2008-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DLIGHTER] C:\Program Files\Desktop Lighter\DLighter.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4739 bytes

 

[Punk]

Ok you are clean now

Congratulations you are clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Create a new System Restore Point
This is a good time to clear your existing system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Select the More options tab
• Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.5.1
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here
Find here changes from older version 1.4 here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!