A sudden Slow down

F

Fritzjavel

New Member
I am about to give this computer to my parents because i am building a brand new one, AMD Build... but i have a problem with this one.. It won't allow me to go to some websites, and things are acting funny, like my Wii Wifi Connector icon disappear while the Wifi is still running, and stuf like freezing and going for no reason... I virus scanned with Nod32, and i didn't find anything, so i think its spyware, or adware hidding somewhere... Also i checke MSCONFIG to turn off unneccesary probrams and i found these two wird ones called... they were the first two one hcnljkfp.dll in system32 forlder, and also oyctdjnc.dll also in system32, so i went in safe mode and deleted them then came these new ones now called shfscyyu.dll, and ycsiditw.dll, IDK i know if i delete those two, another new one will come... so what to do?
 
ceewi1

ceewi1

VIP Member
It sounds like you have a Vundo infection.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.

Please post both the ComboFix and HijackThis logs.
 
F

Fritzjavel

New Member
I'm running XP SP3...
I already haev CC cleaner, and i've ran a registry scan and cleaned, and checker programs, and ran the cleaner.. it did not help at all...
 
G25r8cer

G25r8cer

Active Member
Post the hijackthis log then! It is needed. Also do as the mod said. These steps are critical to find out what is wrong with your system.
 
F

Fritzjavel

New Member
okay i went to filehippo and got it, and this is what i got from Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:07 PM, on 6/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM5bb822a3] Rundll32.exe "C:\WINDOWS\system32\shfscyyu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: wbsys.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\CAPTIA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

--
End of file - 5841 bytes
 
F

Fritzjavel

New Member
Okay so here is the new log...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:59 AM, on 6/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Program\Plugins\NPSWF32_FlashUtil.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [588b113f] rundll32.exe "C:\WINDOWS\system32\tepjehot.dll",b
O4 - HKLM\..\Run: [BM5bb822a3] Rundll32.exe "C:\WINDOWS\system32\hcuhpcvm.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: wbsys.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\CAPTIA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

--
End of file - 5829 bytes
 
F

Fritzjavel

New Member
and here is the one for combofix


ComboFix 08-06-01.6 - Captian Javel 2008-06-02 10:21:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.126 [GMT -4:00]
Running from: C:\Documents and Settings\Captian Javel\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5bb822a3.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\odnrmhnb.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pfkjlnch.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\rqAHOqru.ini
C:\WINDOWS\system32\rqAHOqru.ini2
C:\WINDOWS\system32\shfscyyu.dll
C:\WINDOWS\system32\tbqqjgan.dll
C:\WINDOWS\system32\trdrskpi.dll
C:\WINDOWS\system32\urqOHAqr.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wtidiscy.ini
C:\WINDOWS\system32\ycsiditw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 22:11 . 2008-06-02 22:11 <DIR> d----c--- C:\VundoFix Backups
2008-06-02 22:02 . 2008-06-02 22:02 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-02 21:47 . 2008-06-02 21:47 <DIR> d----c--- C:\Program Files\Common Files\Scanner
2008-06-02 19:09 . 2008-06-02 19:09 32 --a--c--- C:\WINDOWS\CD_Start.INI
2008-06-02 16:24 . 2008-06-02 20:52 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-06-02 16:24 . 2008-06-02 16:24 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-06-02 11:20 . 2008-06-02 11:20 2,560 --a--c--- C:\WINDOWS\system32\mewwqbkm.exe
2008-06-01 23:13 . 2008-06-01 23:13 <DIR> d----c--- C:\Program Files\Mystery Case Files - Madame Fate
2008-06-01 23:04 . 2008-06-01 23:04 58,880 --a--c--- C:\WINDOWS\system32\ljJYQkhG.dll
2008-06-01 23:00 . 2008-06-01 23:04 <DIR> d----c--- C:\Program Files\Mystery Case Files Huntsville
2008-05-27 20:37 . 2008-05-27 20:37 <DIR> d----c--- C:\Documents and Settings\Captian Javel\Application Data\U3
2008-05-23 14:47 . 2008-05-23 14:47 <DIR> d----c--- C:\Program Files\WiFiConnector
2008-05-22 23:43 . 2008-05-22 23:43 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-21 20:20 . 2008-04-14 05:42 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-05-21 20:20 . 2008-04-14 05:40 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-05-21 20:20 . 2008-04-13 22:57 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-05-21 20:15 . 2008-05-21 20:20 <DIR> d----c--- C:\WINDOWS\ServicePackFiles
2008-05-21 20:07 . 2006-12-29 00:31 19,569 --a--c--- C:\WINDOWS\003308_.tmp
2008-05-19 20:38 . 2008-05-19 20:38 <DIR> d----c--- C:\WINDOWS\Performance
2008-05-19 20:38 . 2008-05-23 11:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-05-12 19:37 . 2008-05-12 19:37 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-12 19:36 . 2008-05-12 19:39 <DIR> d----c--- C:\Program Files\Canon
2008-05-12 19:34 . 2008-05-12 19:34 <DIR> d----c--- C:\Program Files\Common Files\Canon
2008-05-11 21:12 . 2008-05-11 21:12 <DIR> d----c--- C:\WINDOWS\system32\VirtualExpander
2008-05-07 21:02 . 2008-05-07 21:02 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\OpenSource Flash Video Splitter
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\Haali
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\DSP-worx
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\DScaler5
2008-05-06 21:47 . 2008-05-06 21:47 <DIR> d----c--- C:\Program Files\ffdshow
2008-05-06 21:47 . 2008-05-06 21:47 <DIR> d----c--- C:\Program Files\DirectVobSub
2008-05-06 21:47 . 2007-11-29 12:52 60,273 --a--c--- C:\WINDOWS\system32\pthreadGC2.dll
2008-05-06 21:47 . 2007-12-03 16:34 7,680 --a--c--- C:\WINDOWS\system32\ff_vfw.dll
2008-05-06 21:47 . 2007-11-29 12:52 547 --a--c--- C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-06 21:45 . 2008-05-23 19:44 <DIR> d----c--- C:\Program Files\Zoom Player
2008-05-04 16:23 . 2008-05-04 16:23 <DIR> d----c--- C:\WINDOWS\system32\runtime
2008-05-04 16:21 . 2008-05-22 02:49 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-04 16:15 . 2008-04-14 05:42 159,232 --a--c--- C:\WINDOWS\system32\ptpusd.dll
2008-05-04 16:15 . 2008-04-14 00:15 15,104 --a--c--- C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-04 16:15 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 01:46 --------- dc----w C:\Program Files\Yahoo!
2008-06-02 03:02 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Azureus
2008-05-30 03:27 --------- dc----w C:\Program Files\FrostWire
2008-05-29 04:00 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-29 04:00 --------- dc----w C:\Program Files\Ubisoft
2008-05-24 04:06 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Vso
2008-05-24 04:01 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\dvdcss
2008-05-23 23:28 --------- dc----w C:\Program Files\VSO
2008-05-15 07:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-09 00:16 --------- dc----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-05-09 00:11 --------- dc----w C:\Program Files\Vstplugins
2008-05-09 00:11 --------- dc----w C:\Program Files\Sony
2008-05-09 00:11 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Sony
2008-05-09 00:06 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 00:05 --------- dc----w C:\Program Files\NCH Swift Sound
2008-05-06 23:31 --------- dc----w C:\Program Files\Picasa2
2008-05-04 20:25 --------- dc----w C:\Program Files\Google
2008-04-27 22:51 --------- dc----w C:\Program Files\Image-Line
2008-04-27 22:51 --------- dc----w C:\Program Files\ASIO4ALL v2
2008-04-27 22:48 --------- dc----w C:\Program Files\Outsim
2008-04-27 22:05 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Publish Providers
2008-04-27 22:05 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\NetMedia Providers
2008-04-27 22:00 --------- dc----w C:\Program Files\Microsoft SQL Server
2008-04-27 21:56 --------- dc----w C:\Program Files\Sony Setup
2008-04-24 21:28 --------- dc----w C:\Program Files\Common Files\Roxio Shared
2008-04-24 21:27 --------- dc----w C:\Program Files\Roxio
2008-04-24 21:24 --------- dc----w C:\Program Files\Common Files\Sonic Shared
2008-04-24 03:15 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Yahoo!
2008-04-22 22:04 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 03:21 --------- dc----w C:\Program Files\MySpace
2008-04-22 02:58 --------- dc----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-04-21 00:20 87,608 -c--a-w C:\Documents and Settings\Captian Javel\Application Data\inst.exe
2008-04-21 00:20 47,360 -c--a-w C:\Documents and Settings\Captian Javel\Application Data\pcouffin.sys
2008-04-21 00:20 47,360 -c----w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-17 08:47 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Ahead
2008-04-17 08:46 --------- dc----w C:\Program Files\Ahead
2008-04-17 08:34 --------- dc----w C:\Program Files\Common Files\Ahead
2008-04-17 08:12 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Roxio
2008-04-17 07:27 --------- dc----w C:\Program Files\Azureus
2008-04-17 02:30 --------- dc----w C:\Program Files\EA GAMES
2008-04-17 01:55 --------- dc----w C:\Program Files\Microsoft Games
2008-04-14 23:31 --------- dc----w C:\Program Files\LWW
2008-04-14 09:55 1,804 -c--a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 09:46 329,728 -c--a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 09:43 92,424 -c--a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 09:43 87,176 -c--a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 09:43 40,840 -c----w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 09:43 299,520 -c--a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 09:43 21,896 -c----w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 09:43 139,656 -c----w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 09:43 12,168 -c--a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 09:43 12,040 -c----w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 09:41 98,304 -c--a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 09:40 53,279 -c--a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 09:40 4,126 -c--a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 09:40 3,584 -c--a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 09:40 102,912 -c--a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-14 05:00 1,845,632 -c----w C:\WINDOWS\system32\win32k.sys
2008-04-14 04:58 175,744 -c----w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 04:57 2,188,928 -c--a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 04:51 162,816 -c----w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 04:50 91,520 -c----w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 04:50 361,344 -c----w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 04:50 182,656 -c----w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 04:49 75,264 -c----w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 04:49 51,328 -c----w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 04:49 48,384 -c----w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 04:49 146,048 -c----w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 04:49 138,112 -c----w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 04:48 52,480 -c----w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 04:47 83,072 -c----w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 04:47 456,576 -c----w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 04:47 105,344 -c----w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 04:46 49,536 -c----w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 04:46 141,056 -c----w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 04:45 64,512 -c----w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 04:45 60,800 -c----w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 04:45 574,976 -c----w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 04:45 334,848 -c----w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 04:44 63,744 -c----w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 04:44 143,744 -c----w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 04:30 30,080 -c----w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 04:30 225,664 -c----w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 04:30 19,072 -c----w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 04:27 41,472 -c----w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 04:27 40,576 -c----w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 04:27 34,560 -c----w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 04:27 20,864 -c----w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 04:27 152,832 -c----w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 04:27 14,336 -c----w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 04:27 10,112 -c----w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 04:26 88,320 -c----w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 04:26 69,120 -c----w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 04:26 35,072 -c----w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 04:26 34,688 -c----w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 04:26 30,592 -c----w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 04:26 30,592 -c----w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 04:26 14,592 -c----w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 04:26 12,800 -c----w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 04:26 12,800 -c----w C:\WINDOWS\system32\drivers\usb8023.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CCB7673-04D5-4DE7-916B-384A3642BAF4}]
2008-06-01 23:04 58880 --a--c--- C:\WINDOWS\system32\ljJYQkhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92F5A5AA-CBB9-4420-BDBF-CBEFD6CCDC4B}]
2008-06-02 10:38 373248 --a--c--- C:\WINDOWS\system32\mlJApQkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\Program Files\Opera\Program\Plugins\NPSWF32_FlashUtil.exe" [2007-11-20 20:52 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-11 19:10 949376]
"BM5bb822a3"="C:\WINDOWS\system32\hcuhpcvm.dll" [2008-06-02 10:42 125952]
"588b113f"="C:\WINDOWS\system32\tepjehot.dll" [2008-06-02 10:45 115200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 05:42 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2008-05-23 14:47:09 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{0CCB7673-04D5-4DE7-916B-384A3642BAF4}"= C:\WINDOWS\system32\ljJYQkhG.dll [2008-06-01 23:04 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQkhG]
ljJYQkhG.dll 2008-06-01 23:04 58880 C:\WINDOWS\system32\ljJYQkhG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-30 00:53 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mlJApQkl
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eil24.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fil72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oru47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wad68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ybe03.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Registration Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Registration Tool.lnk
backup=C:\WINDOWS\pss\Run Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^CPUCooL.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\CPUCooL.lnk
backup=C:\WINDOWS\pss\CPUCooL.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^Joost.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\Joost.lnk
backup=C:\WINDOWS\pss\Joost.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^VirtualExpander.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\VirtualExpander.lnk
backup=C:\WINDOWS\pss\VirtualExpander.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\588b113f]
C:\WINDOWS\system32\ycsiditw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Documents and Settings\Captian Javel\My Documents\Azureus Downloads\AnyDVD & AnyDVD HD 6.3.0.0 - Final\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5bb822a3]
C:\WINDOWS\system32\shfscyyu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2008-05-04 16:22 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2007-08-24 11:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-03-20 18:34 213936 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2006-09-11 05:40 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-12-11 16:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Updates]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2008-04-14 05:42 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a--c--- 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2008-01-20 03:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-12-11 14:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
--a--c--- 2007-08-01 11:58 4694016 C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a--c--- 2004-12-29 11:01 544768 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2007-04-16 19:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox]
-----c--- 2007-10-26 17:04 4354048 C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 05:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpscrex]
C:\Program Files\MSTpscre\Tpscrex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
C:\Program Files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
C:\Program Files\ViStart\ViStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"RoxWatch10"=2 (0x2)
"RoxMediaDB10"=3 (0x3)
"Roxio Upnp Server 10"=2 (0x2)
"Roxio UPnP Renderer 10"=3 (0x3)
"gusvc"=2 (0x2)
"CPUCooLServer"=2 (0x2)
"Bonjour Service"=2 (0x2)
"IviRegMgr"=2 (0x2)
"WSearch"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 18:49]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
S0 Eil24;Eil24;C:\WINDOWS\system32\Drivers\Eil24.sys []
S0 Ybe03;Ybe03;C:\WINDOWS\system32\Drivers\Ybe03.sys []
S3 Fil72;Fil72;C:\WINDOWS\System32\drivers\Fil72.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb4783e1-22c9-11dd-a4e5-001601763dc7}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d86326af-e833-11dc-a47e-00110968b944}]
\shell\Setup\command - setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 00:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 10:34:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\mlJApQkl.dll 373248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljJYQkhG.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\tepjehot.dll
-> C:\WINDOWS\system32\hcuhpcvm.dll
-> C:\WINDOWS\system32\mlJApQkl.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-02 10:48:38 - machine was rebooted [Captian Javel]
ComboFix-quarantined-files.txt 2008-06-02 14:47:55

Pre-Run: 6,185,189,376 bytes free
Post-Run: 6,827,356,160 bytes free

406 --- E O F --- 2008-05-20 07:08:38
 
F

Fritzjavel

New Member
and here is the one for combofix


ComboFix 08-06-01.6 - Captian Javel 2008-06-02 10:21:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.126 [GMT -4:00]
Running from: C:\Documents and Settings\Captian Javel\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5bb822a3.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\odnrmhnb.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pfkjlnch.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\rqAHOqru.ini
C:\WINDOWS\system32\rqAHOqru.ini2
C:\WINDOWS\system32\shfscyyu.dll
C:\WINDOWS\system32\tbqqjgan.dll
C:\WINDOWS\system32\trdrskpi.dll
C:\WINDOWS\system32\urqOHAqr.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wtidiscy.ini
C:\WINDOWS\system32\ycsiditw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 22:11 . 2008-06-02 22:11 <DIR> d----c--- C:\VundoFix Backups
2008-06-02 22:02 . 2008-06-02 22:02 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-02 21:47 . 2008-06-02 21:47 <DIR> d----c--- C:\Program Files\Common Files\Scanner
2008-06-02 19:09 . 2008-06-02 19:09 32 --a--c--- C:\WINDOWS\CD_Start.INI
2008-06-02 16:24 . 2008-06-02 20:52 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-06-02 16:24 . 2008-06-02 16:24 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-06-02 11:20 . 2008-06-02 11:20 2,560 --a--c--- C:\WINDOWS\system32\mewwqbkm.exe
2008-06-01 23:13 . 2008-06-01 23:13 <DIR> d----c--- C:\Program Files\Mystery Case Files - Madame Fate
2008-06-01 23:04 . 2008-06-01 23:04 58,880 --a--c--- C:\WINDOWS\system32\ljJYQkhG.dll
2008-06-01 23:00 . 2008-06-01 23:04 <DIR> d----c--- C:\Program Files\Mystery Case Files Huntsville
2008-05-27 20:37 . 2008-05-27 20:37 <DIR> d----c--- C:\Documents and Settings\Captian Javel\Application Data\U3
2008-05-23 14:47 . 2008-05-23 14:47 <DIR> d----c--- C:\Program Files\WiFiConnector
2008-05-22 23:43 . 2008-05-22 23:43 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-21 20:20 . 2008-04-14 05:42 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-05-21 20:20 . 2008-04-14 05:40 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-05-21 20:20 . 2008-04-13 22:57 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-05-21 20:15 . 2008-05-21 20:20 <DIR> d----c--- C:\WINDOWS\ServicePackFiles
2008-05-21 20:07 . 2006-12-29 00:31 19,569 --a--c--- C:\WINDOWS\003308_.tmp
2008-05-19 20:38 . 2008-05-19 20:38 <DIR> d----c--- C:\WINDOWS\Performance
2008-05-19 20:38 . 2008-05-23 11:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-05-12 19:37 . 2008-05-12 19:37 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-12 19:36 . 2008-05-12 19:39 <DIR> d----c--- C:\Program Files\Canon
2008-05-12 19:34 . 2008-05-12 19:34 <DIR> d----c--- C:\Program Files\Common Files\Canon
2008-05-11 21:12 . 2008-05-11 21:12 <DIR> d----c--- C:\WINDOWS\system32\VirtualExpander
2008-05-07 21:02 . 2008-05-07 21:02 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\OpenSource Flash Video Splitter
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\Haali
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\DSP-worx
2008-05-06 21:48 . 2008-05-06 21:48 <DIR> d----c--- C:\Program Files\DScaler5
2008-05-06 21:47 . 2008-05-06 21:47 <DIR> d----c--- C:\Program Files\ffdshow
2008-05-06 21:47 . 2008-05-06 21:47 <DIR> d----c--- C:\Program Files\DirectVobSub
2008-05-06 21:47 . 2007-11-29 12:52 60,273 --a--c--- C:\WINDOWS\system32\pthreadGC2.dll
2008-05-06 21:47 . 2007-12-03 16:34 7,680 --a--c--- C:\WINDOWS\system32\ff_vfw.dll
2008-05-06 21:47 . 2007-11-29 12:52 547 --a--c--- C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-06 21:45 . 2008-05-23 19:44 <DIR> d----c--- C:\Program Files\Zoom Player
2008-05-04 16:23 . 2008-05-04 16:23 <DIR> d----c--- C:\WINDOWS\system32\runtime
2008-05-04 16:21 . 2008-05-22 02:49 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-04 16:15 . 2008-04-14 05:42 159,232 --a--c--- C:\WINDOWS\system32\ptpusd.dll
2008-05-04 16:15 . 2008-04-14 00:15 15,104 --a--c--- C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-04 16:15 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 01:46 --------- dc----w C:\Program Files\Yahoo!
2008-06-02 03:02 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Azureus
2008-05-30 03:27 --------- dc----w C:\Program Files\FrostWire
2008-05-29 04:00 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-29 04:00 --------- dc----w C:\Program Files\Ubisoft
2008-05-24 04:06 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Vso
2008-05-24 04:01 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\dvdcss
2008-05-23 23:28 --------- dc----w C:\Program Files\VSO
2008-05-15 07:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-09 00:16 --------- dc----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-05-09 00:11 --------- dc----w C:\Program Files\Vstplugins
2008-05-09 00:11 --------- dc----w C:\Program Files\Sony
2008-05-09 00:11 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Sony
2008-05-09 00:06 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 00:05 --------- dc----w C:\Program Files\NCH Swift Sound
2008-05-06 23:31 --------- dc----w C:\Program Files\Picasa2
2008-05-04 20:25 --------- dc----w C:\Program Files\Google
2008-04-27 22:51 --------- dc----w C:\Program Files\Image-Line
2008-04-27 22:51 --------- dc----w C:\Program Files\ASIO4ALL v2
2008-04-27 22:48 --------- dc----w C:\Program Files\Outsim
2008-04-27 22:05 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Publish Providers
2008-04-27 22:05 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\NetMedia Providers
2008-04-27 22:00 --------- dc----w C:\Program Files\Microsoft SQL Server
2008-04-27 21:56 --------- dc----w C:\Program Files\Sony Setup
2008-04-24 21:28 --------- dc----w C:\Program Files\Common Files\Roxio Shared
2008-04-24 21:27 --------- dc----w C:\Program Files\Roxio
2008-04-24 21:24 --------- dc----w C:\Program Files\Common Files\Sonic Shared
2008-04-24 03:15 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Yahoo!
2008-04-22 22:04 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 03:21 --------- dc----w C:\Program Files\MySpace
2008-04-22 02:58 --------- dc----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-04-21 00:20 87,608 -c--a-w C:\Documents and Settings\Captian Javel\Application Data\inst.exe
2008-04-21 00:20 47,360 -c--a-w C:\Documents and Settings\Captian Javel\Application Data\pcouffin.sys
2008-04-21 00:20 47,360 -c----w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-17 08:47 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Ahead
2008-04-17 08:46 --------- dc----w C:\Program Files\Ahead
2008-04-17 08:34 --------- dc----w C:\Program Files\Common Files\Ahead
2008-04-17 08:12 --------- dc----w C:\Documents and Settings\Captian Javel\Application Data\Roxio
2008-04-17 07:27 --------- dc----w C:\Program Files\Azureus
2008-04-17 02:30 --------- dc----w C:\Program Files\EA GAMES
2008-04-17 01:55 --------- dc----w C:\Program Files\Microsoft Games
2008-04-14 23:31 --------- dc----w C:\Program Files\LWW
2008-04-14 09:55 1,804 -c--a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 09:46 329,728 -c--a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 09:43 92,424 -c--a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 09:43 87,176 -c--a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 09:43 40,840 -c----w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 09:43 299,520 -c--a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 09:43 21,896 -c----w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 09:43 139,656 -c----w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 09:43 12,168 -c--a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 09:43 12,040 -c----w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 09:41 98,304 -c--a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 09:40 53,279 -c--a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 09:40 4,126 -c--a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 09:40 3,584 -c--a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 09:40 102,912 -c--a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-14 05:00 1,845,632 -c----w C:\WINDOWS\system32\win32k.sys
2008-04-14 04:58 175,744 -c----w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 04:57 2,188,928 -c--a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 04:51 162,816 -c----w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 04:50 91,520 -c----w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 04:50 361,344 -c----w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 04:50 182,656 -c----w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 04:49 75,264 -c----w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 04:49 51,328 -c----w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 04:49 48,384 -c----w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 04:49 146,048 -c----w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 04:49 138,112 -c----w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 04:48 52,480 -c----w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 04:47 83,072 -c----w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 04:47 456,576 -c----w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 04:47 105,344 -c----w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 04:46 49,536 -c----w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 04:46 141,056 -c----w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 04:45 64,512 -c----w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 04:45 60,800 -c----w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 04:45 574,976 -c----w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 04:45 334,848 -c----w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 04:44 63,744 -c----w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 04:44 143,744 -c----w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 04:30 30,080 -c----w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 04:30 225,664 -c----w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 04:30 19,072 -c----w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 04:27 41,472 -c----w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 04:27 40,576 -c----w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 04:27 34,560 -c----w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 04:27 20,864 -c----w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 04:27 152,832 -c----w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 04:27 14,336 -c----w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 04:27 10,112 -c----w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 04:26 88,320 -c----w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 04:26 69,120 -c----w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 04:26 35,072 -c----w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 04:26 34,688 -c----w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 04:26 30,592 -c----w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 04:26 30,592 -c----w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 04:26 14,592 -c----w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 04:26 12,800 -c----w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 04:26 12,800 -c----w C:\WINDOWS\system32\drivers\usb8023.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CCB7673-04D5-4DE7-916B-384A3642BAF4}]
2008-06-01 23:04 58880 --a--c--- C:\WINDOWS\system32\ljJYQkhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92F5A5AA-CBB9-4420-BDBF-CBEFD6CCDC4B}]
2008-06-02 10:38 373248 --a--c--- C:\WINDOWS\system32\mlJApQkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\Program Files\Opera\Program\Plugins\NPSWF32_FlashUtil.exe" [2007-11-20 20:52 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-11 19:10 949376]
"BM5bb822a3"="C:\WINDOWS\system32\hcuhpcvm.dll" [2008-06-02 10:42 125952]
"588b113f"="C:\WINDOWS\system32\tepjehot.dll" [2008-06-02 10:45 115200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 05:42 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2008-05-23 14:47:09 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{0CCB7673-04D5-4DE7-916B-384A3642BAF4}"= C:\WINDOWS\system32\ljJYQkhG.dll [2008-06-01 23:04 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQkhG]
ljJYQkhG.dll 2008-06-01 23:04 58880 C:\WINDOWS\system32\ljJYQkhG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-30 00:53 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mlJApQkl
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eil24.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fil72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oru47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wad68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ybe03.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Registration Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Registration Tool.lnk
backup=C:\WINDOWS\pss\Run Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^CPUCooL.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\CPUCooL.lnk
backup=C:\WINDOWS\pss\CPUCooL.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^Joost.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\Joost.lnk
backup=C:\WINDOWS\pss\Joost.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Captian Javel^Start Menu^Programs^Startup^VirtualExpander.lnk]
path=C:\Documents and Settings\Captian Javel\Start Menu\Programs\Startup\VirtualExpander.lnk
backup=C:\WINDOWS\pss\VirtualExpander.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\588b113f]
C:\WINDOWS\system32\ycsiditw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Documents and Settings\Captian Javel\My Documents\Azureus Downloads\AnyDVD & AnyDVD HD 6.3.0.0 - Final\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5bb822a3]
C:\WINDOWS\system32\shfscyyu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2008-05-04 16:22 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2007-08-24 11:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-03-20 18:34 213936 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2006-09-11 05:40 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-12-11 16:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Updates]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a--c--- 2008-04-14 05:42 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a--c--- 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2008-01-20 03:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-12-11 14:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
--a--c--- 2007-08-01 11:58 4694016 C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a--c--- 2004-12-29 11:01 544768 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2007-04-16 19:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox]
-----c--- 2007-10-26 17:04 4354048 C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 05:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpscrex]
C:\Program Files\MSTpscre\Tpscrex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
C:\Program Files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
C:\Program Files\ViStart\ViStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"RoxWatch10"=2 (0x2)
"RoxMediaDB10"=3 (0x3)
"Roxio Upnp Server 10"=2 (0x2)
"Roxio UPnP Renderer 10"=3 (0x3)
"gusvc"=2 (0x2)
"CPUCooLServer"=2 (0x2)
"Bonjour Service"=2 (0x2)
"IviRegMgr"=2 (0x2)
"WSearch"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 18:49]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
S0 Eil24;Eil24;C:\WINDOWS\system32\Drivers\Eil24.sys []
S0 Ybe03;Ybe03;C:\WINDOWS\system32\Drivers\Ybe03.sys []
S3 Fil72;Fil72;C:\WINDOWS\System32\drivers\Fil72.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb4783e1-22c9-11dd-a4e5-001601763dc7}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d86326af-e833-11dc-a47e-00110968b944}]
\shell\Setup\command - setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 00:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 10:34:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\mlJApQkl.dll 373248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljJYQkhG.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\tepjehot.dll
-> C:\WINDOWS\system32\hcuhpcvm.dll
-> C:\WINDOWS\system32\mlJApQkl.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-02 10:48:38 - machine was rebooted [Captian Javel]
ComboFix-quarantined-files.txt 2008-06-02 14:47:55

Pre-Run: 6,185,189,376 bytes free
Post-Run: 6,827,356,160 bytes free

406 --- E O F --- 2008-05-20 07:08:38
 
ceewi1

ceewi1

VIP Member
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\mewwqbkm.exe
C:\WINDOWS\system32\ljJYQkhG.dll
C:\WINDOWS\system32\mlJApQkl.dll
C:\WINDOWS\system32\hcuhpcvm.dll
C:\WINDOWS\system32\tepjehot.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CCB7673-04D5-4DE7-916B-384A3642BAF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92F5A5AA-CBB9-4420-BDBF-CBEFD6CCDC4B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM5bb822a3"=-
"588b113f"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0CCB7673-04D5-4DE7-916B-384A3642BAF4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQkhG]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eil24.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fil72.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oru47.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wad68.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ybe03.sys]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\588b113f]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5bb822a3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Updates]

Driver::
Eil24
Ybe03
Fil72
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. How is your system running now?
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
F

Fritzjavel

New Member
Dude you work wonders... It's working fine again... no wierd thinks running in task manager, no rundll32 W/e.... so what was wrong with it, and once again thank ayou.... also is there a program that deletes every application except windows and my songs, because that would alos be helpful.... TY ALOT!!
 
G25r8cer

G25r8cer

Active Member
^^ Wow it looks like you were infected fairly bad! Im glad ceewi1 could help you. Im sure he will want to see another Hijackthis log to make sure so, you might as well post it now.
 
F

Fritzjavel

New Member
OOO I already Deleted Hijackthis... Ooopss... But my computer is running fine, and i some how got an extra 1 gig of space...LOL... What was it that was infecting me?... and how did i get it?... and for safety i leave my Nod32 on now...
 
ceewi1

ceewi1

VIP Member
I would prefer to see another HijackThis log, just in case there's anything leftover. You can safely download HijackThis again.

The infection is called Vundo, the most common means of infection is downloading and running files from unscrupulous websites, although there are other possible ways of infection as well.

I'm not aware of any program that will delete everything except for Windows and your songs, you can always uninstall everything from Add or Remove Programs, although that will take some time. If you have your Windows CD, you can also back up your songs to an external disk and reinstall Windows which will clean everything out.
 
You must log in or register to reply here.
Top