7 replies to this topic

[ameliamessenger]

I have been up and down since last monday. Finally back on the net I could get mbam to update and spybot to update. I have tried eset, but it finds nothing. hjt fix and mbam find, but cannot delete even after reboot. I have gone in via safe mode with cmd tried to delete manually in regedit, access denied. So here I am wilth my last mbam log and hjt log. No other fixes have been attempted since. I have got to get rid of this infections as this is my only connection to the job market....with the economy the way that it is. Plus I am trying to go back to school, co I really don't want to format.

Thanks for your consideration and any help you can give me.

Mbam log

Malwarebytes' Anti-Malware 1.36
Database version: 2003
Windows 5.1.2600 Service Pack 3

4/19/2009 8:44:18 AM
mbam-log-2009-04-19 (08-44-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146861
Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tirycjvk (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\btumxlu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\regkeigm.dat (Rootkit.Agent) -> Delete on reboot.




HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 8:47:47 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Amelia\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5} - c:\windows\system32\btumxlu.dll
O2 - BHO: (no name) - {7f6eddd2-ac0c-4cda-99ea-23dda7634597} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: PackageCab -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239929183609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239929248296
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: tirycjvk - C:\WINDOWS\SYSTEM32\btumxlu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

[Maurice Naggar]

Hello,

This has Spybot's Tea Timer active, which "blocks" any changes to registry, and is only hampering cleanups.
You must disable Tea Timer and keep it that way while we do cleanups.
Also, if you are not fully familiar with what Tea Timer does, then do not active it !
Right click the Spybot Icon in the system tray (notification area).

• If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  
• If you have Version 1.4, Click on Exit Spybot S&D Resident
  
  If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  Exit Spybot S&D when done and reboot the system so the changes are in effect.

You're also using an old, old copy of HijackThis. De-install (delete) the copy you have.
Download the latest version of HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.
=

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.
=

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}
=

Download OTListIt by OldTimer to your desktop: http://oldtimer.geek...m/OTListIt2.exe

• Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the ***** stars ***** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  ******************************************************************************
  :OTLI
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  
  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}]
  [-HKEY_CLASSES_ROOT\CLSID\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}]
  
  :files
  c:\WINDOWS\system32\btumxlu.dll
  C:\WINDOWS\Temp\regkeigm.dat
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  ****************************************************************************
  
  
• Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=
Next, start MBAM, get it up-to-date, and scan and clean. First, rename it.
Locate mbam.exe and RENAME it to Alpha.exe

Start your Alpha {the renamed mbam).
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2003 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

=
Next, fresh run of latest HijackThis:
Navigate (using My Computer [Windows Explorer]) to C:\Program Files\Trend Micro\HijackThis folder
Locate and Rename hijackthis.exe to Findall.exe

Start Findall. Do a Scan and Save report.

Reply with a copy of the OTListIt2 move log from above,
the new MBAM log,
the new HijackThis log,
and tell me, How is your system now?

[ameliamessenger]

Thanks for the quick response.

So I uninstalled spybot...though it was was tipped me off that the system was infected and that something was attempting to make changes to the registry.

I installed the updated HJT changed the settings on my folder options, and ran atf-cleaner.

Now to OTListIt...I downloaded this, copy and pasted the script into the "custom scans/fixes" and then ran fix. During the fix, a warning box came up and said"

"OTListIt2: Bad Image

The application or DLL c:\windows\system32\qmgtkwg.dll is not a valid windows image. Please check against your installation diskette."
And I hit OK. OTL continued to run and then told me that it needed to reboot. I selected yes as directed by your instructions.

After reboot, once I was back into windows, but before any taksbar or desktop programs showed up, I got a warning box that said:

"access violation at address 00SUB2E9 in module 'OTListIt2.exe, Read of address 00000000."

I selected ok.

I waited and waited for 20 minutes, finally the taksbar and my desktop programs came back...Hooray! Not so much. I could not get into any programs or into windows explorer to continue with the instructions. What I got was a searchlight in the windows explorer box that would locate anything for 10 minutes. I then opened task manager and restarted windows because nothing would work at this point. Once restarted, the computer repeated the same processes as it did after the previous rebot.

So I restarted in safe mode. There I got my taskbar and everything just fine. I did a system restore to the point just previous to downloading and using OTListIt. Everything worked again.

I tired the whole process again through OTListIt and the same thing happened again...so I restored the the point previous again.

Now I have renamed mbam.exe to alpha.exe and updated to 2009 definitions...scanned and have that log below. I have also renamed hjt to findall.exe, scanned, and saved that report.

Even though the coputer locked up after OTListIt2 ran, I have listed that moved log below as well. So at this point I am pretty much where I was before, except I have a new version of HJT and no sypbot/teatimer.


*****************************************************************
MBAM Log:


Malwarebytes' Anti-Malware 1.36
Database version: 2009
Windows 5.1.2600 Service Pack 3

4/19/2009 11:25:34 AM
mbam-log-2009-04-19 (11-25-29).txt

Scan type: Quick Scan
Objects scanned: 75664
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tirycjvk (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\btumxlu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\Temp\regkeigm.dat (Rootkit.Agent) -> No action taken.

***********************************************************
HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:22 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\Findall.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5} - c:\windows\system32\btumxlu.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PackageCab -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239929183609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239929248296
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -
O20 - Winlogon Notify: tirycjvk - C:\WINDOWS\SYSTEM32\btumxlu.dll
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

************************************************************

Move Log:

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== REGISTRY ==========
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}\ .
Registry delete failed. HKEY_CLASSES_ROOT\CLSID\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}\ .
========== FILES ==========
LoadLibrary failed for c:\WINDOWS\system32\btumxlu.dll
c:\WINDOWS\system32\btumxlu.dll NOT unregistered.
File move failed. c:\WINDOWS\system32\btumxlu.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\Temp\regkeigm.dat scheduled to be moved on reboot.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Amelia\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\regkeigm.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04192009_104839

*************************************************************


Again, I really appreciate your help!

-Amelia

[Maurice Naggar]

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O2 - BHO: (no name) - {76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5} - c:\windows\system32\btumxlu.dll

O20 - Winlogon Notify: tirycjvk - C:\WINDOWS\SYSTEM32\btumxlu.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!


Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  c:\WINDOWS\system32\btumxlu.dll
  C:\WINDOWS\Temp\regkeigm.dat
  
  Drivers to delete:
  btumxlu
  regkeigm
  
  Registry keys to delete:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}
  
  Folders to delete:
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2009 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

Start Findall {HijackThi}. Do a Scan and Save report.

Reply with copy of the C:\Avenger.txt,
the new MBAM log,
the new HijackThis log,
and tell me, How is your system now?

[ameliamessenger]

Ran everything, just the way you instructed...it appears they have not gone. But hey...no blue screen to report.

**************************************************

Avenger:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\WINDOWS\system32\btumxlu.dll"
Deletion of file "c:\WINDOWS\system32\btumxlu.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open file "C:\WINDOWS\Temp\regkeigm.dat"
Deletion of file "C:\WINDOWS\Temp\regkeigm.dat" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\btumxlu" not found!
Deletion of driver "btumxlu" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\regkeigm" not found!
Deletion of driver "regkeigm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "e:\recycler"
Deletion of folder "e:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


******************************************************************
MBAM

Malwarebytes' Anti-Malware 1.36
Database version: 2009
Windows 5.1.2600 Service Pack 3

4/19/2009 11:25:34 AM
mbam-log-2009-04-19 (11-25-29).txt

Scan type: Quick Scan
Objects scanned: 75664
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tirycjvk (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{76bbad2b-d4f8-4cc9-92a8-a230c6efd6a5} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\btumxlu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\Temp\regkeigm.dat (Rootkit.Agent) -> No action taken.


****************************************************

hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:51 PM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Findall.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5} - c:\windows\system32\btumxlu.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PackageCab -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239929183609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239929248296
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -
O20 - Winlogon Notify: tirycjvk - C:\WINDOWS\SYSTEM32\btumxlu.dll
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 3841 bytes


************************************************************

What should I do next?

Thanks again for you assistance!!!!

[Maurice Naggar]

Amelia,
It appears we are having a harder time to remove some parts of the malwares. I'd like for you to do the following things, as listed.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Please download VundoFix to your desktop.

• Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the 'Fix Vundo' button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
=


Download GMER from here and Save the zip file to your Desktop.
Right Click the Zip and Select "Extract All"
Double-click gmer.exe to launch the program. (If you get an immediate message about rootkit activity, ignore and proceed with instructuions please)
Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, press the Copy button, then open NOTEPAD.

Paste the results here in your reply.

Close all non-essential programs & windows that you have open.
Go here and download & SAVE Silent Runners.vbs (use IE to download it) to a new folder on your drive and run it. It generates a log too {name will start with "Startup Programs". It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created). Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious. It simply generates a report on your system, and does not do any cleanup.
>
RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copies of the C:\Combofix.txt
the GMER log
and the Silent Runners report from above,
and advise, How is your system now ?

[ameliamessenger]

Mbam keeps tripping on the same files with no delete.

******************************************
Combo-fix log (no rootkit detected):

ComboFix 09-04-20.02 - Amelia 04/19/2009 16:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.669 [GMT -5:00]
Running from: c:\documents and settings\Amelia\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 15:09 . 2009-04-19 15:09 -------- d-----w C:\_OTListIt
2009-04-19 00:45 . 2009-04-19 00:45 -------- d-----w c:\documents and settings\Amelia\Application Data\Safer Networking
2009-04-18 23:05 . 2009-04-18 23:05 -------- d-----w c:\documents and settings\Amelia\Application Data\AdobeUM
2009-04-18 23:04 . 2009-04-18 23:04 -------- d-----w c:\documents and settings\Amelia\Local Settings\Application Data\Adobe
2009-04-17 17:40 . 2009-04-17 17:40 -------- d-----w c:\documents and settings\Amelia\Local Settings\Application Data\Apple Computer
2009-04-17 11:49 . 2009-04-17 11:49 -------- d-----r c:\documents and settings\Amelia\Application Data\Brother
2009-04-17 09:45 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-17 03:31 . 2009-04-17 03:31 -------- d-----w c:\documents and settings\Amelia\Application Data\Malwarebytes
2009-04-17 03:28 . 2009-04-17 03:28 -------- d-sh--w c:\documents and settings\Amelia\IECompatCache
2009-04-17 03:28 . 2009-04-17 03:28 -------- d-sh--w c:\documents and settings\Amelia\PrivacIE
2009-04-17 03:27 . 2009-04-17 03:27 -------- d-sh--w c:\documents and settings\Amelia\IETldCache
2009-04-17 03:26 . 2009-04-17 03:26 -------- d-----w c:\windows\ie8updates
2009-04-17 03:26 . 2009-04-17 03:26 -------- dc-h--w c:\windows\ie8
2009-04-17 03:25 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w c:\windows\system32\XPSViewer
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w C:\6915ff46180cce68df40
2009-04-17 02:57 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-17 02:57 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-17 02:57 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-17 02:57 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-17 02:57 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-17 02:57 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-17 02:57 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-17 02:52 . 2009-03-08 19:22 1241088 -c--a-w c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-17 02:52 . 2009-03-08 09:39 11063808 -c--a-w c:\windows\system32\dllcache\ieframe.dll
2009-04-17 02:52 . 2009-03-08 09:32 594432 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
2009-04-17 02:52 . 2009-03-08 09:32 1985024 -c--a-w c:\windows\system32\dllcache\iertutil.dll
2009-04-17 02:52 . 2009-03-08 09:31 59904 -c--a-w c:\windows\system32\dllcache\icardie.dll
2009-04-17 02:52 . 2009-03-08 09:31 55296 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-17 02:52 . 2009-03-08 09:11 445952 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-17 02:52 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 02:52 . 2009-02-07 02:07 3698584 -c--a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-17 02:37 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-17 02:37 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-17 02:01 . 2009-04-17 02:01 -------- d-----w c:\windows\ServicePackFiles
2009-04-17 01:10 . 2004-08-04 10:00 71040 ----a-w c:\windows\system32\drivers\_004586_.tmp.dll
2009-04-17 01:02 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\SET5EC.tmp
2009-04-17 01:01 . 2006-12-28 19:01 19569 ----a-w c:\windows\006257_.tmp
2009-04-16 17:39 . 2009-04-16 17:39 0 ----a-w c:\windows\nsreg.dat
2009-04-16 15:34 . 2009-04-16 15:34 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-16 14:41 . 2009-04-16 14:41 13646 ----a-w c:\windows\system32\wpa.bak
2009-04-16 14:35 . 2004-08-04 10:00 79872 -c--a-w c:\windows\system32\dllcache\rwia330.dll
2009-04-16 14:34 . 2004-08-04 10:00 6144 -c--a-w c:\windows\system32\dllcache\ftlx041e.dll
2009-04-16 14:32 . 2009-04-16 14:32 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-16 14:31 . 2004-08-04 10:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-04-16 09:02 . 2009-04-16 09:02 -------- d-----w c:\windows\dell
2009-04-15 11:12 . 2008-05-03 11:55 2560 ----a-w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:19 . 2008-07-01 04:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 15:42 . 2008-08-28 00:19 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-19 15:42 . 2008-08-28 00:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-19 15:34 . 2009-04-19 15:34 -------- d-----w c:\program files\Trend Micro
2009-04-19 00:57 . 2009-04-17 03:06 104272 ----a-w c:\documents and settings\Amelia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w c:\program files\MSBuild
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w c:\program files\Reference Assemblies
2009-04-17 02:12 . 2009-04-17 02:12 -------- d-----w c:\program files\Windows Resource Kits
2009-04-17 01:35 . 2004-08-10 18:03 77423 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-16 16:55 . 2008-10-19 20:20 -------- d-----w c:\program files\QuickTime
2009-04-16 16:24 . 2007-05-10 05:49 -------- d-----w c:\program files\BAE
2009-04-16 14:31 . 2004-08-10 18:02 23444 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-16 14:30 . 2009-04-16 14:30 873 ----a-w c:\windows\Inf\COM1C5.tmp
2009-04-16 14:13 . 2007-05-12 02:27 4128 ----a-w C:\INFCACHE.1
2009-04-14 08:08 . 2008-10-20 00:32 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-14 02:54 . 2009-04-14 02:54 2411 ----a-w C:\reset.log
2009-04-06 20:32 . 2008-12-26 07:09 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-07-01 04:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 21:35 . 2007-11-01 01:21 -------- d-----w c:\program files\DropBox
2009-03-08 09:34 . 2006-03-04 03:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 10:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 10:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 10:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 10:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 10:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 10:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 10:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 10:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 10:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-21 13:55 . 2009-02-21 13:55 -------- d-----w c:\program files\NewBlue
2009-02-21 13:53 . 2009-02-21 13:52 -------- d-----w c:\program files\Sony
2009-02-21 13:52 . 2009-02-21 13:52 -------- d-----w c:\program files\Vstplugins
2009-02-09 12:10 . 2009-04-17 01:58 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2009-04-17 01:58 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2009-04-17 01:58 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2009-04-17 01:58 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2009-04-17 01:58 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2009-04-17 01:58 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2009-04-17 01:58 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-05-13 02:25 . 2007-05-13 02:22 168 --sha-r c:\windows\system32\B2BAF50479.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_01.33.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 23:41 . 2009-04-19 16:17 12104 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5}]
2004-08-04 10:00 103424 ----a-w c:\windows\system32\btumxlu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tirycjvk]
2004-08-04 10:00 103424 ----a-w c:\windows\system32\btumxlu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Amelia Messenger^Start Menu^Programs^Startup^Picaboo.lnk]
path=c:\documents and settings\Amelia Messenger\Start Menu\Programs\Startup\Picaboo.lnk
backup=c:\windows\pss\Picaboo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"McProxy"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S0 awkaqjof;awkaqjof;c:\windows\system32\drivers\awkaqjof.sys [2004-08-04 23424]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nyobueqr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\At1.job
- c:\windows\system32\btumxlu.dll [2004-08-10 10:00]

2009-04-19 c:\windows\Tasks\At2.job
- c:\windows\system32\btumxlu.dll [2004-08-10 10:00]

2009-04-18 c:\windows\Tasks\At3.job
- c:\windows\system32\btumxlu.dll [2004-08-10 10:00]

2009-04-19 c:\windows\Tasks\User_Feed_Synchronization-{7BFB5460-5BCD-458A-9AB6-BC673BA3F2A5}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: PackageCab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-04-19 16:30
ComboFix-quarantined-files.txt 2009-04-19 21:30


***************************************************************************

Vundo: found nothing

***************************************************************************

Gmer:ComboFix 09-04-20.02 - Amelia 04/19/2009 16:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.669 [GMT -5:00]
Running from: c:\documents and settings\Amelia\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 15:09 . 2009-04-19 15:09 -------- d-----w C:\_OTListIt
2009-04-19 00:45 . 2009-04-19 00:45 -------- d-----w c:\documents and settings\Amelia\Application Data\Safer Networking
2009-04-18 23:05 . 2009-04-18 23:05 -------- d-----w c:\documents and settings\Amelia\Application Data\AdobeUM
2009-04-18 23:04 . 2009-04-18 23:04 -------- d-----w c:\documents and settings\Amelia\Local Settings\Application Data\Adobe
2009-04-17 17:40 . 2009-04-17 17:40 -------- d-----w c:\documents and settings\Amelia\Local Settings\Application Data\Apple Computer
2009-04-17 11:49 . 2009-04-17 11:49 -------- d-----r c:\documents and settings\Amelia\Application Data\Brother
2009-04-17 09:45 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-17 03:31 . 2009-04-17 03:31 -------- d-----w c:\documents and settings\Amelia\Application Data\Malwarebytes
2009-04-17 03:28 . 2009-04-17 03:28 -------- d-sh--w c:\documents and settings\Amelia\IECompatCache
2009-04-17 03:28 . 2009-04-17 03:28 -------- d-sh--w c:\documents and settings\Amelia\PrivacIE
2009-04-17 03:27 . 2009-04-17 03:27 -------- d-sh--w c:\documents and settings\Amelia\IETldCache
2009-04-17 03:26 . 2009-04-17 03:26 -------- d-----w c:\windows\ie8updates
2009-04-17 03:26 . 2009-04-17 03:26 -------- dc-h--w c:\windows\ie8
2009-04-17 03:25 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w c:\windows\system32\XPSViewer
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w C:\6915ff46180cce68df40
2009-04-17 02:57 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-17 02:57 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-17 02:57 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-17 02:57 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-17 02:57 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-17 02:57 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-17 02:57 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-17 02:52 . 2009-03-08 19:22 1241088 -c--a-w c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-17 02:52 . 2009-03-08 09:39 11063808 -c--a-w c:\windows\system32\dllcache\ieframe.dll
2009-04-17 02:52 . 2009-03-08 09:32 594432 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
2009-04-17 02:52 . 2009-03-08 09:32 1985024 -c--a-w c:\windows\system32\dllcache\iertutil.dll
2009-04-17 02:52 . 2009-03-08 09:31 59904 -c--a-w c:\windows\system32\dllcache\icardie.dll
2009-04-17 02:52 . 2009-03-08 09:31 55296 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-17 02:52 . 2009-03-08 09:11 445952 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-17 02:52 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 02:52 . 2009-02-07 02:07 3698584 -c--a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-17 02:37 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-17 02:37 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-17 02:01 . 2009-04-17 02:01 -------- d-----w c:\windows\ServicePackFiles
2009-04-17 01:10 . 2004-08-04 10:00 71040 ----a-w c:\windows\system32\drivers\_004586_.tmp.dll
2009-04-17 01:02 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\SET5EC.tmp
2009-04-17 01:01 . 2006-12-28 19:01 19569 ----a-w c:\windows\006257_.tmp
2009-04-16 17:39 . 2009-04-16 17:39 0 ----a-w c:\windows\nsreg.dat
2009-04-16 15:34 . 2009-04-16 15:34 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-16 14:41 . 2009-04-16 14:41 13646 ----a-w c:\windows\system32\wpa.bak
2009-04-16 14:35 . 2004-08-04 10:00 79872 -c--a-w c:\windows\system32\dllcache\rwia330.dll
2009-04-16 14:34 . 2004-08-04 10:00 6144 -c--a-w c:\windows\system32\dllcache\ftlx041e.dll
2009-04-16 14:32 . 2009-04-16 14:32 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-16 14:32 . 2009-04-16 14:32 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-16 14:31 . 2004-08-04 10:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-04-16 09:02 . 2009-04-16 09:02 -------- d-----w c:\windows\dell
2009-04-15 11:12 . 2008-05-03 11:55 2560 ----a-w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:19 . 2008-07-01 04:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 15:42 . 2008-08-28 00:19 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-19 15:42 . 2008-08-28 00:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-19 15:34 . 2009-04-19 15:34 -------- d-----w c:\program files\Trend Micro
2009-04-19 00:57 . 2009-04-17 03:06 104272 ----a-w c:\documents and settings\Amelia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w c:\program files\MSBuild
2009-04-17 02:57 . 2009-04-17 02:57 -------- d-----w c:\program files\Reference Assemblies
2009-04-17 02:12 . 2009-04-17 02:12 -------- d-----w c:\program files\Windows Resource Kits
2009-04-17 01:35 . 2004-08-10 18:03 77423 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-16 16:55 . 2008-10-19 20:20 -------- d-----w c:\program files\QuickTime
2009-04-16 16:24 . 2007-05-10 05:49 -------- d-----w c:\program files\BAE
2009-04-16 14:31 . 2004-08-10 18:02 23444 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-16 14:30 . 2009-04-16 14:30 873 ----a-w c:\windows\Inf\COM1C5.tmp
2009-04-16 14:13 . 2007-05-12 02:27 4128 ----a-w C:\INFCACHE.1
2009-04-14 08:08 . 2008-10-20 00:32 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-14 02:54 . 2009-04-14 02:54 2411 ----a-w C:\reset.log
2009-04-06 20:32 . 2008-12-26 07:09 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-07-01 04:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 21:35 . 2007-11-01 01:21 -------- d-----w c:\program files\DropBox
2009-03-08 09:34 . 2006-03-04 03:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 10:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 10:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 10:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 10:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 10:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 10:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 10:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 10:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 10:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-21 13:55 . 2009-02-21 13:55 -------- d-----w c:\program files\NewBlue
2009-02-21 13:53 . 2009-02-21 13:52 -------- d-----w c:\program files\Sony
2009-02-21 13:52 . 2009-02-21 13:52 -------- d-----w c:\program files\Vstplugins
2009-02-09 12:10 . 2009-04-17 01:58 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2009-04-17 01:58 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2009-04-17 01:58 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2009-04-17 01:58 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2009-04-17 01:58 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2009-04-17 01:58 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2009-04-17 01:58 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-05-13 02:25 . 2007-05-13 02:22 168 --sha-r c:\windows\system32\B2BAF50479.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_01.33.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 23:41 . 2009-04-19 16:17 12104 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5}]
2004-08-04 10:00 103424 ----a-w c:\windows\system32\btumxlu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tirycjvk]
2004-08-04 10:00 103424 ----a-w c:\windows\system32\btumxlu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Amelia Messenger^Start Menu^Programs^Startup^Picaboo.lnk]
path=c:\documents and settings\Amelia Messenger\Start Menu\Programs\Startup\Picaboo.lnk
backup=c:\windows\pss\Picaboo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"McProxy"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S0 awkaqjof;awkaqjof;c:\windows\system32\drivers\awkaqjof.sys [2004-08-04 23424]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nyobueqr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\At1.job
- c:\windows\system32\btumxlu.dll [2004-08-10 10:00]

2009-04-19 c:\windows\Tasks\At2.job
- c:\windows\system32\btumxlu.dll [2004-08-10 10:00]

2009-04-18 c:\windows\Tasks\At3.job
- c:\windows\system32\btumxlu.dll [2004-08-10 10:00]

2009-04-19 c:\windows\Tasks\User_Feed_Synchronization-{7BFB5460-5BCD-458A-9AB6-BC673BA3F2A5}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: PackageCab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-04-19 16:30
ComboFix-quarantined-files.txt 2009-04-19 21:30



***********************************************************

silent runner:

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"EPSON Stylus CX7800 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"" ["SEIKO EPSON CORPORATION"]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [file not found]
{76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\windows\system32\btumxlu.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}" = "RXDCExtShlExt extension"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Roxio\Virtual Drive 9\DC_ShellExt.dll" ["Sonic Solutions"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Sonic Solutions"]
"{16148659-720A-457d-850B-2DBD87BB129D}" = "Audible Shlell Extension"
-> {HKLM...CLSID} = "AudibleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Audible\Bin\AudibleExt.dll" ["Audible, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> tirycjvk\DLLName = "btumxlu.dll" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{16148659-720A-457d-850B-2DBD87BB129D}\(Default) = "Audible Column Ext"
-> {HKLM...CLSID} = "AudibleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Audible\Bin\AudibleExt.dll" ["Audible, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
RXDCExtSvr\(Default) = "{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Roxio\Virtual Drive 9\DC_ShellExt.dll" ["Sonic Solutions"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
RXDCExtSvr\(Default) = "{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Roxio\Virtual Drive 9\DC_ShellExt.dll" ["Sonic Solutions"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\Desktop 1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Amelia\My Documents\Desktop 1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

DMXPlayDVD\
"Provider" = "Dell CinePlayer"
"InvokeProgID" = "DMX.PLAYDVD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\DMX.PLAYDVD\shell\Play\Command\(Default) = "C:\Program Files\Dell\Media Experience\DMX.exe DVD "Play %1"" [null data]

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

MediaCapture9Music\
"Provider" = "Media Import 8"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Audio"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Audio\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -audio %L" ["Sonic Solutions"]

MediaCapture9Photos\
"Provider" = "Media Import 8"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Photo"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Photo\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -photo %L" ["Sonic Solutions"]

MediaCapture9VideoCamera\
"Provider" = "Media Import 8"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MediaCapture9Videos\
"Provider" = "Media Import 8"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Video"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Video\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -video %L" ["Sonic Solutions"]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

PTSOnArrivalHandler\
"Provider" = "Kodak EasyShare software"
"InvokeProgID" = "Ptswia.WiaEvents.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Ptswia.WiaEvents.1\shell\open\DropTarget\CLSID = "{66A41C80-C64A-45A9-8BC9-0D58DE47C007}"
-> {HKLM...CLSID} = "WiaEvents Class"
\LocalServer32\(Default) = ""C:\Program Files\Kodak\Kodak EasyShare software\bin\ptswia.exe"" [null data]

RoxioCreator9PlayCDAudioOnArrival\
"Provider" = "Roxio Creator Classic"
"InvokeProgID" = "Creator9"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Creator9\shell\open\Command\(Default) = "C:\Program Files\Roxio\Creator Classic 9\Creator9.exe" ["Sonic Solutions"]

RoxioSCAudioCDTask33\
"Provider" = "Roxio RecordNow Audio"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data]

RoxioSCCopyCD33\
"Provider" = "Roxio RecordNow Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCCopyDisc33\
"Provider" = "Roxio RecordNow Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCDataProject33\
"Provider" = "Roxio RecordNow Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data]

RoxioSCDataTask33\
"Provider" = "Roxio RecordNow Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

SonicSCAudioCDTask\
"Provider" = "Roxio RecordNow Audio"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]

SonicSCCopyCD\
"Provider" = "Roxio RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCCopyDisc\
"Provider" = "Roxio RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCDataProject\
"Provider" = "Roxio RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]

SonicSCDataTask\
"Provider" = "Roxio RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]

SonicVideoCameraArrival\
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = "new"
HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
-> {HKLM...CLSID} = "MyDVDAPHandler Class"
\LocalServer32\(Default) = "C:\PROGRA~1\Roxio\MyDVD\MyDVD.EXE -autoplay" ["Sonic Solutions"]

SonicVideoCameraArrivalDirect\
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = "direct"
HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
-> {HKLM...CLSID} = "MyDVDAPHandler Class"
\LocalServer32\(Default) = "C:\PROGRA~1\Roxio\MyDVD\MyDVD.EXE -autoplay" ["Sonic Solutions"]

SonyBlankDVDInsert_DVDA40\
"Provider" = "Sony DVD Architect Studio 4.0"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Sony\DVD Architect Studio 4.0\dvdarchst40.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

SonyDVConnectMovieStudioPE70\
"Provider" = "Sony Vegas Movie Studio Platinum 7.0"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Sony\Vegas Movie Studio Platinum 7.0\VegasMovieStudioPE70.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Enabled Scheduled Tasks:
------------------------

"At1" -> launches: "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\btumxlu.dll,DllMain -" [MS]
"At2" -> launches: "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\btumxlu.dll,DllMain -" [MS]
"At3" -> launches: "C:\WINDOWS\system32\rundll32.exe c:\windows\system32\btumxlu.dll,DllMain -" [MS]
"EasyShare Registration Task" -> launches: "C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.8.50.2.sxt _RegistrationOffer@16" [MS]
"User_Feed_Synchronization-{7BFB5460-5BCD-458A-9AB6-BC673BA3F2A5}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 09
%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

MBAMService, MBAMService, ""C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"" ["Malwarebytes Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus CX7800 Series 2KMonitor5A\Driver = "E_FLMAFA.DLL" ["SEIKO EPSON CORPORATION"]
EPSON Stylus CX7800 Series 32MonitorBA\Driver = "E_FLBAFA.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2009-04-19 18:03:10)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 58 seconds, including 18 seconds for message boxes)



**************


The system runs incredibly slow. I am finished typing way before it actually shows up on the screen.

What next?

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in between the **** stars **** below into it:

********************************************************************************
********
File::
c:\windows\system32\drivers\_004586_.tmp.dll
c:\windows\system32\SET5EC.tmp
c:\windows\006257_.tmp
c:\windows\system32\btumxlu.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Browser Helper Objects\{76BBAD2B-D4F8-4CC9-92A8-A230C6EFD6A5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tirycjvk]


Driver::
nyobueqr
tirycjvk

********************************************************************************
********

Save this as CFScript.txt, in the same location as ComboFix.exe

Now, Close any open browsers, especially Internet Explorer.





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2009 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

Reply with a copy of C:\Combofix.txt
and the new MBAM scan log