InterviewSolution
Saved Bookmarks
InterviewSolution
This section includes InterviewSolutions, each offering curated multiple-choice questions to sharpen your knowledge and support exam preparation. Choose a topic below to get started.
| 451. |
Solve : Antivirus Searching? |
|
Answer» Hi, |
|
| 452. |
Solve : what is 503 privoxy message?? |
|
Answer» hello, Jenny , go here , post the required LOGS and a specialist will assist you. |
|
| 453. |
Solve : No icons, start menu, only desktop backgound....? |
|
Answer» I have a HP a712n computer. I am using windows xp and my task manager does work. I have tried all of the following to try and fix this, but so far, nothing has worked... I am having the EXACT same problem.Only my Background shows up.Task manager works,and I am also having the "windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item". Please, SOMEONE HELP!You need to either start your own thread or sit quietly and watch this one. This is not your thread. Quote from: Allan on November 02, 2009, 11:36:34 AM You need to either start your own thread or sit quietly and watch this one. This is not your thread. umm ya Allan, i started my own.That "patio" guy posted some click here stuff,Which just told me how to get rid of spyware,Malware,Viruses,etc. Yeah,what great help. -.-I don't have the start menu. I access everything through task manager. The only way I got Malwarebytes and Superantispyware to run was to run exehelper and then hurry up and run the scan.Okay. If I were you I'd download a boot time av scanner, burn it to a cd, boot to it and run a full virus scan at boot. Quote from: Allan on November 02, 2009, 11:58:27 AM Okay. If I were you I'd download a boot time av scanner, burn it to a cd, boot to it and run a full virus scan at boot. Not sure if you are talking to me or not.I know it's not my post,but not getting much help from anyone else. What should i download? I have tried: Advance System Care O.S. Pro Superanti spyware Spyhunter Panda Security AVG 8.0 Norton Spyware Removal pro. etc.I am NOT talking to you in this thread. Please, this is not your thread - you are only confusing things here. |
|
| 454. |
Solve : Yahoo-Google Virus Help Please? |
|
Answer» I believe I have a Search Engine Virus. Can anyone please help me? |
|
| 455. |
Solve : Blue Screen Issues - Infection Suspected? |
|
Answer» I am running Windows XP, SP3 and I noticed several issues:
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. |
|
| 456. |
Solve : Data Execution Prevent prevents Userinit Logon Application? |
|
Answer» So today I began to suspect I had some serious viruses/spyware on my computer. Whatever it was, it wasn't allowing me to run any virus scans. So I restarted my computer in safe mode and was able to run a complete scan with SuperAntiSpyware. After removing about 50 THINGS, it asked me to reboot my computer. |
|
| 457. |
Solve : Can't clean computer? |
|
Answer» My computer was recently infected by Trojans and malware. |
|
| 458. |
Solve : Runtime paced fsg? |
|
Answer» I was running a scan using Malwarebyte's Anti-Malware and halfway, I got an alert from AVG regarding a Runtime packed FSG threat and it's DIRECTED at Malwarebyte's Anti-Malware. I've INCLUDED a screenshot of the alert. |
|
| 459. |
Solve : Blue Screen Of Death! Pro Please Help Me!? |
|
Answer» Below Is The HIjackThis Log 0x0000008E KERNEL_MODE_EXCEPTION_NOT_HANDLED Further info here.. but you have not posted the ENTIRE displayed error message. Please read this advice and respond accordingly. |
|
| 460. |
Solve : WinXP will not boot, so I can't get rid of malware...help please? |
|
Answer» Hello Staff, |
|
| 461. |
Solve : Antivirus System Pro = evil? |
|
Answer» I could use some help getting rid of this and what ever else the logs show. O1 - Hosts: 91.212.127.227 winwarepro.microsoft.com 2) Please download the program HostsXpert Unzip HostsXpert.zip It will create a folder named HostsXpert in whatever folder you EXTRACT it to. Run HostsXpert.exe by double clicking on it. Click the Make Writeable? button. Click Restore Microsoft's Hosts File and then click OK. Click the X to exit the program Please copy and paste a new Hijackthis log taken after running HostsXpert in your reply 3) Next download RootRepeal.rar and unzip it to your Desktop. You'll NEED WinRAR to extract it * Double click RootRepeal.exe to start the program * Click on the Report tab at the bottom of the program window * Click the Scan button * In the Select Scan dialog, check: o Drivers o Files o Processes o SSDT o Stealth Objects o Hidden Services * Click the OK button * In the next dialog, select all drives showing * Click OK to start the scan The scan can take some time. DO NOT run any other programs while the scan is running * When the scan is complete, the SAVE Report button will become available * Click this and save the report to your Desktop as RootRepeal.txt * Go to File, then Exit to close the program *Attach this log in your next post. 4) Download DDS by sUBs to your desktop. Your antivirus software might question the file. If it does, allow it. * Double click DDS.scr to run it and wait for the scan to finish * When finished DDS.txt will open * A small while later, a prompt will open. Answer Yes * DDS will continue scanning * When done, Attach.txt will open Copy and paste the DDS.txt and attach Attach.txtHJT Log after HostsXpert was run [Saving space, attachment deleted by admin]Rootrepeal Log [Saving space, attachment deleted by admin]Griz, where are the other logs?Please include DDS.txt and attach.txt as well. |
|
| 462. |
Solve : Sending Logs after following your infection removal instructions? |
|
Answer» I am copying and pasting the 3 logs created when I followed the directions "Read this before requesting malware removal help." My problem started with somehow getting ask.com as my browser instead of internet explorer. A few days later a screen pop-up in red saying Access File is infected" and Trojan Horse Injector.GJ. It didn't LOOK like my anti-virus program so I didn't do anything about it. I then tried to get rid of ask.com which I did, but I couldn't get internet explorer back. My son did some things to it and when I started it back up, I got the exe.bad image messages which led me to search for a resolution which led me to your page. I followed the instructions exactly and after doing Step 4 (Malwarebytes) scan, the Trojan.vrondo (I didn't write it down at the time) was found and after that was removed the exe. bad image messages stopped. The computer seems to be working properly now--maybe a little slower. |
|
| 463. |
Solve : Help please! Malwarebytes won't run. SAS and HJT Logs included...? |
|
Answer» Hi there,
Thanks for the reply and sorry for the delay, I had some trouble disabling all aspects of my antivirus software. Everything seemed to run fine after that. I have attached both of the requested logs. I don't know if this is worth noting or not, but after I ran Combofix and the computer restarted, I got the RUNDLL errors for both hafimiw.dll and c:\windows\system32\rosogobu11. I'm guessing those are remnants of malware that have been deleted. Didn't know if it was relevant but I figured full disclosure was best. Thanks for you help on this! [Saving space, attachment deleted by admin] Quote from: caytidid on November 07, 2009, 05:29:20 PM Thanks for you help on this! Your welcome. Quote from: caytidid on November 07, 2009, 05:29:20 PM after I ran Combofix and the computer restarted, I got the RUNDLL errors for both hafimiw.dll and c:\windows\system32\rosogobu11. I'm guessing those are remnants of malware that have been deleted. Didn't know if it was relevant but I figured full disclosure was best. Yes and we will take care of that. Did you create these folders and files? Quote 2009-11-07 21:24 . 2009-11-07 21:30 -------- d-----w- c:\program files\Attempt 6 SMI created all of them while attempting to re-download mbam, except for the last one "lmxiyi". I don't recognize that one at all and noticed it was created on a different day than the rest. My apologies for the, ummm, colorful file names. It was a frustrating day. *blushing* I can delete them now if you would like me to since they didn't work anyway. Quote My apologies for the, ummm, colorful file names. I'V eseen worse... Quote I can delete them now if you would like me to since they didn't work anyway. We can do it with ComboFix since we need to run it again anyway. 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: File:: c:\program files\xxxx.exe c:\program files\mw-upfucker.exe Folder:: c:\program files\Attempt 6 SM c:\program files\Attempt 5 c:\program files\Attempt 4 c:\program files\Attempt 3 c:\program files\please work c:\program files\MF c:\program files\MW-upfucker c:\program files\lmxiyi Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"=- 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop. Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it) * XP users Double click on dds to run it. * If your antivirus or firewall try to block DDS then please allow it to run. * When finished DDS will open two (2) logs. 1) DDS.txt 2) Attach.txt * Save both logs to your desktop. * Please copy and paste the entire contents of both logs in your next reply. Note: DDS will instruct you to post the Attach.txt log as an attachment. Please just post it as you would any other log by copy and pasting it into the reply. ---------- Next post please add: ComboFix log Both DDS logs Done and done! I attached the Combofix, DDS, and Attach logs rather than copy and pasting them since they are apparently too large to add to the message body. I hope that's alright. [Saving space, attachment deleted by admin]Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply. Exit out of MessengerDisable then delete the two files that were put on the desktop. ---------- Download JavaRa * Unzip the file and open the JavaRa.exe * Click Remove Older Versions * JavaRa will search for and remove any outdated version of Java and remove any that are found. * Click Additional Tasks * Place a check next to Remove Useless JRE Files and click Go * Exit JavaRa * Delete the JavaRa files from the desktop ---------- Go to Add or Remove Programs and uninstall: - Viewpoint Manager (Remove Only) - Viewpoint Media Player ---------- We need to use ComboFix again. 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: DDS:: BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Folder:: C:\Program Files\Viewpoint c:\program files\Malwarebytes' Anti-Malware Attempt 2 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- I think we deleted Malwarebytes in that last fix. If it is still installed then update it and run a scan. Post the log it creates. If you need to download it again be sure to update it before the scan. Malwarebytes' Anti-Malware (MBAM) Also let me know how the computer is running now.Good Morning! I have attached the most recent combofix log as well as the mbam log. While I was running combofix, i got the following notification "PEV.cfxxe has encountered a problem and needs to close...". I left it alone because combofix seemed to be running ok. As far as I can tell, everything seems to be running normally now Yay! (hopefully that's not a premature celebration) Let me know if you need anything else and thanks! - Cayti [Saving space, attachment deleted by admin] |
|
| 464. |
Solve : chkdsk /r under recovery...???? |
|
Answer» When I type in chksk /r, do I type in 1? 1 is for D, 3 is for C, which is my MAIN drive. Which one do I choose?Which one do you WANT to check?I don't know. In my other POST, Allan told me to put in the number 1 because I cannot get my desktop back. He said I might have to get the windows XP cd and install it again. I have no icons taskbars. I have to access everything through the task manager.If your operating system is installed on the C:\ drive then that's the one you want to check. I'm not SURE why your configuration isn't typical though.I don't know why it is like that. This was my son's computer and it has the recovery installed in it. I am going to try it and type in 3 for my C drive. Is there anything else that I need to know before doing this?Okay, I did the chkdsk /r on my c drive and it didn't help. Back to square one I don't know what the problem is. I'm not a specialist for this anyway. |
|
| 465. |
Solve : can't get my computer to go into safe mode? |
|
Answer» HELLO i can't run my computer in safe mode it is running as good EVER so i don't UNDERSTAND why it wouldn't go into safe mode when i restart my computer then F8 to go into safe mode it will say multi (0) disk (0) disk (0)ruisk (0) partition (0)\windows\ fonts\vgaoem.fon multi (0) disk (0) disk (0)ruisk (0) partition (0)\windows\ appatch\ drivai.sdl it will show like 30 like this one below with alot of short 3 4 and 5 letter words after driver multi (0) disk (0) disk (0)ruisk (0) partition (0)\windows\ system32\ drivers About ten minutes LATER it will go threw but not in safemode but it doesn't make that noise like it's shutting of and turning back on no beep are nothing it will quitly go right to were my computer begins like i just turn it on i ment to say F8have you tried tapping F8 at start up instead of Ctrl8. |
|
| 466. |
Solve : google redirect..? |
|
Answer» Quote from: evilfantasy on SEPTEMBER 02, 2009, 08:02:23 PM Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.i dont mean to question you ef but why?ComboFix 09-09-02.02 - Customer 09/02/2009 21:18.1.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2928 [GMT -5:00] Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\driver c:\windows\Installer\99310b7.msp c:\windows\Installer\99310c8.msp c:\windows\system32\BReWErS.dll c:\windows\system32\drivers\SKYNETrvlsotna.sys c:\windows\system32\images c:\windows\system32\images\i1.gif c:\windows\system32\images\i2.gif c:\windows\system32\images\i3.gif c:\windows\system32\images\j1.gif c:\windows\system32\images\j2.gif c:\windows\system32\images\j3.gif c:\windows\system32\images\jj1.gif c:\windows\system32\images\jj2.gif c:\windows\system32\images\jj3.gif c:\windows\system32\images\l1.gif c:\windows\system32\images\l2.gif c:\windows\system32\images\l3.gif c:\windows\system32\images\pix.gif c:\windows\system32\images\t1.gif c:\windows\system32\images\t2.gif c:\windows\system32\images\up1.gif c:\windows\system32\images\up2.gif c:\windows\system32\images\w1.gif c:\windows\system32\images\w11.gif c:\windows\system32\images\w2.gif c:\windows\system32\images\w3.gif c:\windows\system32\images\w3.jpg c:\windows\system32\images\wt1.gif c:\windows\system32\images\wt2.gif c:\windows\system32\images\wt3.gif c:\windows\system32\SKYNETdlvcctpi.dll c:\windows\system32\SKYNETkkjdxmqh.dat c:\windows\system32\SKYNEToybfmoxj.dll c:\windows\system32\SKYNETxduyvymr.dat c:\windows\system32\proquota.exe . . . is missing!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SKYNETpkrobqtl -------\Legacy_SKYNETpkrobqtl -------\Legacy_TDSSSERV.SYS -------\Legacy_DRIVER -------\Legacy_DRIVERDRV ((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))))) . 2009-09-03 01:50 . 2009-09-03 01:50 -------- d-----w- C:\_OTL 2009-09-02 23:16 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-09-02 23:16 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-09-02 23:16 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-09-02 23:16 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\program files\Avira 2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-30 16:20 . 2009-08-30 16:20 -------- d-----w- c:\documents and settings\Customer\Application Data\Software Defender 2009-08-30 16:08 . 2009-08-30 20:20 -------- d-----w- C:\GameCommanderPro 2009-08-30 16:08 . 2009-08-30 16:08 -------- d-----w- c:\program files\GameCommanderPro 2009-08-30 06:07 . 2009-08-30 06:07 272 ----a-w- c:\windows\system32\drivers\sfi.dat 2009-08-30 06:04 . 2009-08-30 06:38 -------- d-----w- c:\program files\COMODO 2009-08-29 02:46 . 2009-08-29 02:46 -------- d-----w- c:\program files\ERUNT 2009-08-28 22:21 . 2009-08-28 22:21 120 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\Qyinag.dat 2009-08-28 22:15 . 2009-08-28 22:15 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\{24CA42D1-2CBF-4A3B-BDC8-8C983CEBC299} 2009-08-28 20:57 . 2009-08-29 02:07 120 ----a-w- c:\windows\Qyinag.dat 2009-08-26 22:29 . 2009-08-26 22:29 -------- d-----w- c:\program files\Electronic Arts 2009-08-26 21:16 . 2009-08-30 06:05 -------- d-----w- c:\program files\Lavasoft 2009-08-26 21:16 . 2009-08-26 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-20 01:57 . 2009-08-20 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment 2009-08-18 22:15 . 2009-08-18 22:21 -------- d-----w- c:\program files\IDoser v4 2009-08-15 07:12 . 2009-08-15 07:12 -------- d-----w- c:\program files\JAP 2009-08-14 01:04 . 2009-08-15 05:37 45344 ----a-w- c:\windows\system32\drivers\tnpfb81.sys 2009-08-14 01:04 . 2009-08-14 01:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-12 10:49 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe 2009-08-12 10:49 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe 2009-08-12 10:49 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll 2009-08-12 10:48 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll 2009-08-12 10:48 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll 2009-08-12 10:48 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-12 10:38 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-02 20:28 . 2009-03-21 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-09-01 02:03 . 2008-11-21 22:54 -------- d-----w- c:\documents and settings\Customer\Application Data\LimeWire 2009-08-31 20:35 . 2008-05-03 00:28 -------- d-----w- c:\documents and settings\Customer\Application Data\uTorrent 2009-08-31 20:35 . 2009-04-29 01:03 -------- d-----w- c:\program files\World of Warcraft 2009-08-31 04:20 . 2008-11-20 05:05 -------- d-----w- c:\program files\Defraggler 2009-08-29 02:33 . 2009-05-15 18:52 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-18 22:33 . 2008-04-04 04:22 -------- d-----w- c:\program files\LimeWire 2009-08-15 07:09 . 2009-06-09 22:13 -------- d-----w- c:\documents and settings\Customer\Application Data\Mumble 2009-08-14 01:07 . 2008-11-20 04:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-05 09:01 . 2004-08-12 06:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 23:41 . 2009-08-03 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-08-03 18:36 . 2008-11-20 04:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 18:36 . 2008-11-20 04:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-03 06:57 . 2009-08-03 05:53 -------- d-----w- c:\documents and settings\Customer\Application Data\Music Editor Free 2009-08-03 06:39 . 2009-08-03 05:47 -------- d-----w- c:\program files\NOS 2009-08-03 05:53 . 2009-08-03 05:53 -------- d-----w- c:\program files\Music Editor Free 2009-08-03 01:22 . 2009-08-03 01:22 -------- d-----w- c:\documents and settings\Customer\Application Data\Nero 2009-08-03 01:21 . 2009-08-03 01:21 -------- d-----w- c:\program files\Common Files\Nero 2009-08-03 01:21 . 2009-03-06 23:21 -------- d-----w- c:\program files\Nero 2009-08-03 01:21 . 2009-08-03 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero 2009-07-31 08:46 . 2009-07-31 08:46 -------- d-----w- c:\documents and settings\Guest\Application Data\SteelSeries 2009-07-31 02:04 . 2009-07-30 22:13 25 ----a-w- c:\windows\popcinfot.dat 2009-07-30 22:12 . 2009-07-30 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games 2009-07-30 22:12 . 2009-07-30 08:04 -------- d-----w- c:\program files\PopCap Games 2009-07-30 06:54 . 2009-07-30 06:54 -------- d-----w- c:\program files\iTunes 2009-07-30 06:54 . 2009-07-30 06:54 -------- d-----w- c:\program files\iPod 2009-07-30 06:54 . 2008-04-03 23:32 -------- d-----w- c:\program files\Common Files\Apple 2009-07-30 06:19 . 2009-07-30 06:19 -------- d-----w- c:\documents and settings\Customer\Application Data\SteelSeries 2009-07-30 06:19 . 2009-07-30 06:19 -------- d-----w- c:\program files\SteelSeries 2009-07-30 06:19 . 2008-04-02 19:19 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-19 20:03 . 2009-07-19 20:03 -------- d-----w- c:\program files\EVGA Precision 2009-07-19 10:20 . 2009-07-19 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark 2009-07-19 09:44 . 2008-04-04 06:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-19 09:08 . 2009-05-01 22:52 -------- d-----w- c:\program files\Pando Networks 2009-07-19 02:32 . 2009-07-19 02:32 -------- d-----w- c:\program files\Alex Feinman 2009-07-17 19:01 . 2004-08-12 06:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-16 09:32 . 2009-05-21 06:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-07-13 15:08 . 2004-08-12 06:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-12 20:59 . 2009-06-17 20:23 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-07-10 21:21 . 2009-07-09 19:20 -------- d-----w- c:\program files\World of Warcraft Public Test 2009-07-09 19:40 . 2009-05-01 22:54 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2009-07-03 17:09 . 2007-04-24 19:05 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-21 13:46 . 2008-04-02 19:11 485920 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-06-16 14:36 . 2007-04-24 19:05 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2007-04-24 19:03 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2004-08-12 06:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2005-05-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:19 . 2008-04-03 08:56 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2004-08-12 06:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:28 . 2009-06-10 13:28 3510272 ----a-w- c:\windows\system32\nvgames.dll 2009-06-10 13:28 . 2009-06-10 13:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll 2009-06-10 13:28 . 2009-06-10 13:28 86016 ----a-w- c:\windows\system32\nvmctray.dll 2009-06-10 13:28 . 2009-06-10 13:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe 2009-06-10 13:28 . 2009-06-10 13:28 143360 ----a-w- c:\windows\system32\nvcolor.exe 2009-06-10 13:28 . 2009-06-10 13:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll 2009-06-10 13:28 . 2009-06-10 13:28 229376 ----a-w- c:\windows\system32\nvmccs.dll 2009-06-10 11:03 . 2009-06-10 11:03 1580550 ----a-w- c:\windows\system32\nvdata.bin 2009-06-10 11:03 . 2009-06-10 11:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll 2009-06-10 11:03 . 2009-03-27 15:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll 2009-06-10 11:03 . 2008-12-25 16:08 9998336 ----a-w- c:\windows\system32\nvoglnt.dll 2009-06-10 11:03 . 2008-12-25 16:08 815104 ----a-w- c:\windows\system32\nvapi.dll 2009-06-10 11:03 . 2008-12-25 16:08 1720320 ----a-w- c:\windows\system32\nvcuda.dll 2009-06-10 11:03 . 2008-12-25 16:08 151552 ----a-w- c:\windows\system32\nvcodins.dll 2009-06-10 11:03 . 2008-12-25 16:08 151552 ----a-w- c:\windows\system32\nvcod.dll 2009-06-10 11:03 . 2008-04-02 19:45 457248 ----a-w- c:\windows\system32\nvudisp.exe 2009-06-10 11:03 . 2007-12-07 05:51 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2009-06-10 11:03 . 2007-12-07 05:51 5908608 ----a-w- c:\windows\system32\nv4_disp.dll 2009-06-10 06:14 . 2007-04-24 19:05 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-05 16:42 . 2009-03-14 19:00 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-06-05 16:42 . 2008-10-25 19:48 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2004-08-12 06:00 . 2008-07-18 07:52 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe . ------- Sigcheck ------- [7] 2004-08-12 06:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe [7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe [-] 2008-11-18 00:50 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\system32\winlogon.exe [-] 2007-04-24 19:05 295424 C29A5286E64D97385178452D5F307B98 c:\windows\$NtServicePackUninstall$\termsrv.dll [7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll [-] 2008-11-18 00:50 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll c:\windows\system32\drivers\beep.sys ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-30 1935360] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016] "EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2009-04-28 298000] "SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike\\hl.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Curse\\CurseClient.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"= "c:\\Documents and Settings\\Customer\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"= "c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/2/2009 6:16 PM 108289] R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [7/30/2009 1:19 AM 11136] R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [4/3/2008 5:39 PM 45440] S0 tnpfb81;tnpfb81;\SystemRoot\\SystemRoot\System32\drivers\tnpfb81.sys --> \SystemRoot\\SystemRoot\System32\drivers\tnpfb81.sys [?] S1 4180b6ce.sys;4180b6ce.sys;\??\c:\windows\System32\drivers\4180b6ce.sys --> c:\windows\System32\drivers\4180b6ce.sys [?] S2 gupdate1c9aa6717e65336;Google Update Service (gupdate1c9aa6717e65336);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 3:53 PM 133104] S3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys --> c:\windows\system32\Drivers\JmtFltr.sys [?] S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [12/4/2008 10:36 PM 12032] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [4/3/2008 5:33 PM 19020] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408] S3 SCREAMINGBDRIVER;Screaming Bee Audio; S3 vhack;vhack;\??\c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys --> c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - RTCORE32 *Deregistered* - RTCore32 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] 2009-09-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-21 20:51] 2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53] 2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53] . - - - - ORPHANS REMOVED - - - - HKCU-Run-PlayNC Launcher - (no file) MSConfigStartUp-TrueImageMonitor - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.curse.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB DPF: {7D4733C0-C43B-4A81-AF43-F9B20D1F8348} - hxxp://www.octoshape.com/files/octosetupGotFrag.cab DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.srtest.com/srl_bin/sysreqlab_test.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\lx4hbh99.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 21:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] Denied: (Full) (LocalSystem) [HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\SecuROM\License information*] "datasecu"=hex:4c,77,61,19,2a,84,09,02,a9,ac,0b,91,31,61,c5,0a,60,69,6b,57,8a, 4e,74,6a,08,10,98,6e,44,f3,19,27,49,2a,d6,87,55,12,92,35,8d,00,ed,63,fe,74,\ "rkeysecu"=hex:6f,c1,8d,4f,4c,7c,a4,72,e4,e6,0b,91,d2,83,44,ef [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] Denied: (A 2) (Everyone) ="FlashBroker" "LocalizedString"="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] ="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] ="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] Denied: (A 2) (Everyone) ="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] ="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] ="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(732) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3152) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\rundll32.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\wdfmgr.exe c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe . ************************************************************************** . Completion time: 2009-09-03 21:35 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-03 02:35 Pre-Run: 127,226,544,128 bytes free Post-Run: 127,111,868,416 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /PAE 353 --- E O F --- 2009-09-02 20:28 Sorry it took so long, i went as fast as i could. Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: tnpfb81 4180b6ce.sys FCopy:: C:\WINDOWS\ServicePackFiles\i386\proquota.exe | c:\windows\system32\proquota.exe C:\WINDOWS\ServicePackFiles\i386\beep.sys | c:\windows\system32\drivers\beep.sys 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the SCREENSHOT below. Important: PERFORM this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeComboFix 09-09-02.02 - Customer 09/02/2009 21:55.2.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2878 [GMT -5:00] Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Customer\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\ServicePackFiles\i386\proquota.exe --> c:\windows\system32\proquota.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_4180b6ce.sys -------\Service_tnpfb81 ((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))))) . 2009-09-03 02:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-09-03 02:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe 2009-09-03 01:50 . 2009-09-03 01:50 -------- d-----w- C:\_OTL 2009-09-02 23:16 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-09-02 23:16 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-09-02 23:16 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-09-02 23:16 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\program files\Avira 2009-09-02 23:16 . 2009-09-02 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-30 16:20 . 2009-08-30 16:20 -------- d-----w- c:\documents and settings\Customer\Application Data\Software Defender 2009-08-30 16:08 . 2009-08-30 20:20 -------- d-----w- C:\GameCommanderPro 2009-08-30 16:08 . 2009-08-30 16:08 -------- d-----w- c:\program files\GameCommanderPro 2009-08-30 06:07 . 2009-08-30 06:07 272 ----a-w- c:\windows\system32\drivers\sfi.dat 2009-08-30 06:04 . 2009-08-30 06:38 -------- d-----w- c:\program files\COMODO 2009-08-29 02:46 . 2009-08-29 02:46 -------- d-----w- c:\program files\ERUNT 2009-08-28 22:21 . 2009-08-28 22:21 120 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\Qyinag.dat 2009-08-28 22:15 . 2009-08-28 22:15 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\{24CA42D1-2CBF-4A3B-BDC8-8C983CEBC299} 2009-08-28 20:57 . 2009-08-29 02:07 120 ----a-w- c:\windows\Qyinag.dat 2009-08-26 22:29 . 2009-08-26 22:29 -------- d-----w- c:\program files\Electronic Arts 2009-08-26 21:16 . 2009-08-30 06:05 -------- d-----w- c:\program files\Lavasoft 2009-08-26 21:16 . 2009-08-26 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-20 01:57 . 2009-08-20 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment 2009-08-18 22:15 . 2009-08-18 22:21 -------- d-----w- c:\program files\IDoser v4 2009-08-15 07:12 . 2009-08-15 07:12 -------- d-----w- c:\program files\JAP 2009-08-14 01:04 . 2009-08-15 05:37 45344 ----a-w- c:\windows\system32\drivers\tnpfb81.sys 2009-08-14 01:04 . 2009-08-14 01:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-12 10:49 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe 2009-08-12 10:49 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe 2009-08-12 10:49 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll 2009-08-12 10:48 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll 2009-08-12 10:48 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll 2009-08-12 10:48 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-12 10:38 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-02 20:28 . 2009-03-21 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-09-01 02:03 . 2008-11-21 22:54 -------- d-----w- c:\documents and settings\Customer\Application Data\LimeWire 2009-08-31 20:35 . 2008-05-03 00:28 -------- d-----w- c:\documents and settings\Customer\Application Data\uTorrent 2009-08-31 20:35 . 2009-04-29 01:03 -------- d-----w- c:\program files\World of Warcraft 2009-08-31 04:20 . 2008-11-20 05:05 -------- d-----w- c:\program files\Defraggler 2009-08-29 02:33 . 2009-05-15 18:52 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-18 22:33 . 2008-04-04 04:22 -------- d-----w- c:\program files\LimeWire 2009-08-15 07:09 . 2009-06-09 22:13 -------- d-----w- c:\documents and settings\Customer\Application Data\Mumble 2009-08-14 01:07 . 2008-11-20 04:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-05 09:01 . 2004-08-12 06:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 23:41 . 2009-08-03 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-08-03 18:36 . 2008-11-20 04:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 18:36 . 2008-11-20 04:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-03 06:57 . 2009-08-03 05:53 -------- d-----w- c:\documents and settings\Customer\Application Data\Music Editor Free 2009-08-03 06:39 . 2009-08-03 05:47 -------- d-----w- c:\program files\NOS 2009-08-03 05:53 . 2009-08-03 05:53 -------- d-----w- c:\program files\Music Editor Free 2009-08-03 01:22 . 2009-08-03 01:22 -------- d-----w- c:\documents and settings\Customer\Application Data\Nero 2009-08-03 01:21 . 2009-08-03 01:21 -------- d-----w- c:\program files\Common Files\Nero 2009-08-03 01:21 . 2009-03-06 23:21 -------- d-----w- c:\program files\Nero 2009-08-03 01:21 . 2009-08-03 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero 2009-07-31 08:46 . 2009-07-31 08:46 -------- d-----w- c:\documents and settings\Guest\Application Data\SteelSeries 2009-07-31 02:04 . 2009-07-30 22:13 25 ----a-w- c:\windows\popcinfot.dat 2009-07-30 22:12 . 2009-07-30 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games 2009-07-30 22:12 . 2009-07-30 08:04 -------- d-----w- c:\program files\PopCap Games 2009-07-30 06:54 . 2009-07-30 06:54 -------- d-----w- c:\program files\iTunes 2009-07-30 06:54 . 2009-07-30 06:54 -------- d-----w- c:\program files\iPod 2009-07-30 06:54 . 2008-04-03 23:32 -------- d-----w- c:\program files\Common Files\Apple 2009-07-30 06:19 . 2009-07-30 06:19 -------- d-----w- c:\documents and settings\Customer\Application Data\SteelSeries 2009-07-30 06:19 . 2009-07-30 06:19 -------- d-----w- c:\program files\SteelSeries 2009-07-30 06:19 . 2008-04-02 19:19 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-19 20:03 . 2009-07-19 20:03 -------- d-----w- c:\program files\EVGA Precision 2009-07-19 10:20 . 2009-07-19 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark 2009-07-19 09:44 . 2008-04-04 06:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-19 09:08 . 2009-05-01 22:52 -------- d-----w- c:\program files\Pando Networks 2009-07-19 02:32 . 2009-07-19 02:32 -------- d-----w- c:\program files\Alex Feinman 2009-07-17 19:01 . 2004-08-12 06:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-16 09:32 . 2009-05-21 06:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-07-13 15:08 . 2004-08-12 06:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-12 20:59 . 2009-06-17 20:23 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-07-10 21:21 . 2009-07-09 19:20 -------- d-----w- c:\program files\World of Warcraft Public Test 2009-07-09 19:40 . 2009-05-01 22:54 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2009-07-03 17:09 . 2007-04-24 19:05 915456 ------w- c:\windows\system32\wininet.dll 2009-06-21 13:46 . 2008-04-02 19:11 485920 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-06-16 14:36 . 2007-04-24 19:05 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2007-04-24 19:03 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2004-08-12 06:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2005-05-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:19 . 2008-04-03 08:56 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2004-08-12 06:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:28 . 2009-06-10 13:28 3510272 ----a-w- c:\windows\system32\nvgames.dll 2009-06-10 13:28 . 2009-06-10 13:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll 2009-06-10 13:28 . 2009-06-10 13:28 86016 ----a-w- c:\windows\system32\nvmctray.dll 2009-06-10 13:28 . 2009-06-10 13:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe 2009-06-10 13:28 . 2009-06-10 13:28 143360 ----a-w- c:\windows\system32\nvcolor.exe 2009-06-10 13:28 . 2009-06-10 13:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll 2009-06-10 13:28 . 2009-06-10 13:28 229376 ----a-w- c:\windows\system32\nvmccs.dll 2009-06-10 11:03 . 2009-06-10 11:03 1580550 ----a-w- c:\windows\system32\nvdata.bin 2009-06-10 11:03 . 2009-06-10 11:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll 2009-06-10 11:03 . 2009-03-27 15:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll 2009-06-10 11:03 . 2008-12-25 16:08 9998336 ----a-w- c:\windows\system32\nvoglnt.dll 2009-06-10 11:03 . 2008-12-25 16:08 815104 ----a-w- c:\windows\system32\nvapi.dll 2009-06-10 11:03 . 2008-12-25 16:08 1720320 ----a-w- c:\windows\system32\nvcuda.dll 2009-06-10 11:03 . 2008-12-25 16:08 151552 ----a-w- c:\windows\system32\nvcodins.dll 2009-06-10 11:03 . 2008-12-25 16:08 151552 ----a-w- c:\windows\system32\nvcod.dll 2009-06-10 11:03 . 2008-04-02 19:45 457248 ----a-w- c:\windows\system32\nvudisp.exe 2009-06-10 11:03 . 2007-12-07 05:51 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2009-06-10 11:03 . 2007-12-07 05:51 5908608 ----a-w- c:\windows\system32\nv4_disp.dll 2009-06-10 06:14 . 2007-04-24 19:05 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-05 16:42 . 2009-03-14 19:00 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-06-05 16:42 . 2008-10-25 19:48 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2004-08-12 06:00 . 2008-07-18 07:52 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe . ------- Sigcheck ------- [7] 2004-08-12 06:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe [7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe [-] 2008-11-18 00:50 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\system32\winlogon.exe [-] 2007-04-24 19:05 295424 C29A5286E64D97385178452D5F307B98 c:\windows\$NtServicePackUninstall$\termsrv.dll [7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll [-] 2008-11-18 00:50 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll c:\windows\system32\drivers\beep.sys ... is missing !! . ((((((((((((((((((((((((((((( [email protected]_02.33.12 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-03 03:01 . 2009-09-03 03:01 16384 c:\windows\temp\Perflib_Perfdata_750.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-30 1935360] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016] "EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2009-04-28 298000] "SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike\\hl.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Curse\\CurseClient.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"= "c:\\Documents and Settings\\Customer\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"= "c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/2/2009 6:16 PM 108289] R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [7/30/2009 1:19 AM 11136] R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [4/3/2008 5:39 PM 45440] S2 gupdate1c9aa6717e65336;Google Update Service (gupdate1c9aa6717e65336);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 3:53 PM 133104] S3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys --> c:\windows\system32\Drivers\JmtFltr.sys [?] S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [12/4/2008 10:36 PM 12032] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [4/3/2008 5:33 PM 19020] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408] S3 SCREAMINGBDRIVER;Screaming Bee Audio; S3 vhack;vhack;\??\c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys --> c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - RTCORE32 *Deregistered* - RTCore32 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] 2009-09-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-21 20:51] 2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53] 2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.curse.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB DPF: {7D4733C0-C43B-4A81-AF43-F9B20D1F8348} - hxxp://www.octoshape.com/files/octosetupGotFrag.cab DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.srtest.com/srl_bin/sysreqlab_test.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\lx4hbh99.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 22:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] Denied: (Full) (LocalSystem) [HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\SecuROM\License information*] "datasecu"=hex:4c,77,61,19,2a,84,09,02,a9,ac,0b,91,31,61,c5,0a,60,69,6b,57,8a, 4e,74,6a,08,10,98,6e,44,f3,19,27,49,2a,d6,87,55,12,92,35,8d,00,ed,63,fe,74,\ "rkeysecu"=hex:6f,c1,8d,4f,4c,7c,a4,72,e4,e6,0b,91,d2,83,44,ef [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] Denied: (A 2) (Everyone) ="FlashBroker" "LocalizedString"="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] ="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] ="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] Denied: (A 2) (Everyone) ="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] ="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] ="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(732) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1548) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\rundll32.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe . ************************************************************************** . Completion time: 2009-09-03 22:03 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-03 03:03 ComboFix2.txt 2009-09-03 02:35 Pre-Run: 127,085,703,168 bytes free Post-Run: 127,048,708,096 bytes free 312 --- E O F --- 2009-09-02 20:28 There ya go.Save the attached file to your desktop. Unzip it and place the beep.sys file in you Drivers folder. C:\WINDOWS\system32\drivers <- Place it in this folder. Let me know how the computer is running now. [attachment deleted by admin]no more redirects, gonna check safe mode. Safe mode is working, but it's still asking me if i want to load, or press cancel to stop loading SPTD.sys... not sure what that is. Wep pages are pulling up significantly faster.. Any advice for keeping protected against that stuff in the future? P.S. i live in oklahoma too, in Shattuck, northwest panhandle Quote from: onion on September 02, 2009, 09:16:46 PM Safe mode is working, but it's still asking me if i want to load, or press cancel to stop loading SPTD.sys... not sure what that is. See here: http://www.bleepingcomputer.com/startups/sptd.sys-13477.html Quote Any advice for keeping protected against that stuff in the future? We'll get to that at the end. Quote P.S. i live in oklahoma too, in Shattuck, northwest panhandle Other side of the state... Let's clean up a little and then check to see if we missed anything. * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /u in the runbox * Make sure there's a space between Combofix and /u * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Double click OTL * Click the CleanUp! button. * Select Yes when the "Begin cleanup Process?" prompt appears. * If you are prompted to Reboot during the cleanup, select Yes * The tool will delete itself once it finishes. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- Use the Kaspersky Lab Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.
There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As
Copy and paste the Kaspersky Online Scanner Report in your next reply. Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%. If needed, this animation will guide you through the process.updating the kaspersky online thing right now, but i got college in the morning at 8:00 so i gotta hit the sack, thanks man. Ill post the scan log tomorrow around 4pm. again, THANK YOU. No problem. I'll be signing off soon also.Kaspersky didn't find a single thing.Sounds like we nailed it then. Good job! Time to finish up. Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. Quote from: evilfantasy on September 02, 2009, 07:13:30 PM Please don't ask for malicious links to be posted. im sorry, i just wanted to know what the redirects said. your doin a good job, evilToo many people click first and think second so it's risky. If they are needed to be posted then have them disable the links by adding xx into the http. > hxxp |
|
| 467. |
Solve : Blue screen problem- not what you think? |
|
Answer» im not GREAT with computers so here it is... |
|
| 468. |
Solve : SUPERAntiSpyware Pro Giveaway? |
|
Answer» I have one Free SUPERAntiSpyware PROFESSIONAL Edition Lifetime Key to give away. |
|
| 469. |
Solve : TotalSecure and hijacked desktop? |
|
Answer» You are most WELCOME.....If you're SURE that your COMPUTER has been cleaned you will need to reset your SYSTEM Restore point to ensure that you don't become re-infected again. |
|
| 470. |
Solve : Hijack this - need a little help? |
|
Answer» I went through all the processes for removing malware, etc. The HIJACK this analyzer wanted me to remove the "no value strings" in internet explorer (RO) but when I tried they just stayed there. I can not log in to any sites. I can go online and do anything else but when I try to log in to sites I get "internet explorer can not display"... Is your system clock correct?I just corrected the system clock, but I still have all the same "symptoms".wait for an expert to advise furtherI finally managed to CLEAR all the Windows Live add ons in internet explorer and deleted live search and this corrected the problems. It doesn't make sense to me since some of the problems didn't even require the browser.... |
|
| 471. |
Solve : RootKits..? |
|
Answer» Could it have something to do with the script that smeezekitty posted Here? He asked BC to see what that script does, I thought I'd try too...but I only previewed it there in that topic , nothing happened, I didn't try it here.....I don't think it can be that though Quote from: Ivy on September 01, 2009, 10:05:00 PM Why did it look LIKE that??? Not sure. You must have a Chinese version of Windows. But, No rootkits found! is a good thing. HackTool.BVP - Is this from AVG? If so then it should have been removed unless you denied it from being fixed.I removed HackTool.BVP ALREADY, and No I don't have chinese version of windows lol.....did you read the smeezykitty script. Hey Evil, thank you for HELPING, you're always awesome, thank you so much!Your welcome. Safe SURFING Queen... |
|
| 472. |
Solve : Computer slowdown with Norton 2009 and SP2? |
|
Answer» Here's the problem- our only computer that is online is old and slow, but when we installed Norton 2009 that came with our NetZero dial up software, and SP 2, our PC is way slower than it used to be. Specs- |
|
| 473. |
Solve : Suspected Virus on Computer 1? |
|
Answer» This is a new thread so there is no confusion as suggested. |
|
| 474. |
Solve : No sound recording on computer 2? |
|
Answer» This is a NEW THREAD to avoid confusion. |
|
| 475. |
Solve : HELP FOR PITIES SAKE HELP? |
|
Answer» IM GOING OFF THE CHAIN WITH THIS AND I THINK I WILL THROW IT AT A WALL. |
|
| 476. |
Solve : Total Security? |
|
Answer» Here's the mbam log: |
|
| 477. |
Solve : Re: Kaspersky? |
|
Answer» I use Kaspersky...I can FIND the virus vault in my directory.. But the kaspersky couldn't detect...Annie, what are you trying to tell us?Kaspersky has also a Virus vault but its not ope to all. If Ksapersky can't find the virus other ANTIVIRUS found, let Kaspersky know |
|
| 478. |
Solve : parents computer having issues...please help!? |
|
Answer» My parents computer is a little older, but it is running VERY slowly, and it is doing some bizarre things. Often times when trying to go to a website (such as the superantispyware site, it re-directs to a completely different site. Try renaming the programs to something else......sniper.exe or boom.exe I tried renaming all of those programs, but no result.create a new user account and try running the program again |
|
| 479. |
Solve : Lurking problem? |
|
Answer» Great Keith ....... sorry about the distraction........i think you can SEE here http://www.voip-sol.com/10-skype-alternatives/http://www.voip-sol.com/10-skype-alternatives/ |
|
| 480. |
Solve : Help with suspected virus at work - job under threat? |
|
Answer» Hi I am a newbie and desperately looking for help! Does anyone know of whether a virus would do this, though?Possibly. Quote from: tvgirl on August 28, 2009, 07:24:24 AM Are there any well known types that do this wort of thing? I'm afraid I don't really know the difference between a worm or a trojan or a virus, so I am using the word 'virus' to mean anything malicious.You can call it malware (malicious software). Quote from: tvgirl on August 28, 2009, 07:24:24 AM If there is something that can do this, how would it have got onto his computer?Many factors. It can be transmitted via network, USB flash drives, dirty websites, download of infected email attachments, download of pirated software, clicking on links to WEB pages, accepting file transfers, etc. |
|
| 481. |
Solve : Infected by extremley nasty malware, can't even run HijackThis, please help? |
|
Answer» I got infected by a NASTY malware while surfing a news forum. It rebooted my computer (XP sP2). Now my situation is: |
|
| 482. |
Solve : Are my files gone forever?- was this a virus?? |
|
Answer» an external hard DRIVE containing 76gb of photos has been running on my laptop for two days, i noticed that when i tried to save to it, a popup said it was unable to save to f: drive. so i went to my computer and opened the drive by right click and explore but there is NOTHING in there apart from an autorun folder which i don't recall being there before. I'm obviously shocked at the notion that ten years of work and FAMILY photos are missing but i'm afraid to unplug or power off the system or external hdd in case i do permenant damage, ALSO when in my computer and i richt click on the hdd and select properties, the hard drive has 76gb used space. Please HelpIs there something WRONG with your original topic? |
|
| 483. |
Solve : Security Center says anti-virus protection is turned off..? |
|
Answer» but the AVG icon is in the tray and i'm ACTUALLY running antivirus as we speak. I may have picked up malware last night. Anybody can HELP? |
|
| 484. |
Solve : explorer.exe keeps restarting? |
|
Answer» Can anyone help please? O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE That's what we like to see! Nothing Jumps out at me. can you run through the steps here, and repost the three logs? (MBAM, Super Anti-Spyware, and a fresh Hijackthis after that). Ok, It went away for a couple of days now either I got another virus or It came back! I'll follow the instructions in your post. |
|
| 485. |
Solve : When putting in my new Norton Internet security 2009? |
|
Answer» I put my new NORTON in late last night EARLY morning. I don't remember the exact words but something came up about me not being certified do I want to go on yes or no there was also a spot to CLICK on to find out what this was I did and I click on something which ended up I got Verisign I don't know what this is do I need this and how do I GET rid of this?Verisign is a trusted provider of Internet infrastructure services |
|
| 486. |
Solve : Is driveguard.exe actually a virus?? |
|
Answer» Hi.. |
|
| 487. |
Solve : HELP! Computer crashed, won't start even in safe modeat? |
|
Answer» I'm writing from my husband's LAPTOP because my desktop is completely dead. |
|
| 488. |
Solve : Re: spyware/virus problem. can't access C: drive, can't open certain programs? |
|
Answer» Had a very similar problem, here the log that I got after running COMBOFIX
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. |
|
| 489. |
Solve : HijackThis.exe not showing up Trend Micro folder so I can rename it to sniper? |
|
Answer» You may recognize the instructions below from your malware preparation bulletin. and a HijackThis icon which opens the program when you double-click it. That's what you need to rename.OK, I changed the icon name to sniper.exe and put it on the desktop. Once again, currently, the main problem is that I get the following error message when I log on to my user account: "Error Loading dll32 The specified module could not be found". And then I cannot open my Firefox browser. I get this error mesage: "Proxy Server Refused Connection. Firefox is configured to use a proxy server that is refusing connections."(I'm assuming the dll32 file has something to do with that). I even tried inserting my Windows XP disc to have that file repaired but it did not seem to work. I have to switch user accounts so that I can get on the internet. Here are the logs: (I've also included and AVG report at the end to show you what it detected) SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 03/18/2009 at 05:57 PM Application Version : 4.25.1014 Core Rules Database Version : 3803 Trace Rules Database Version: 1758 Scan type : Complete Scan Total Scan Time : 02:39:48 Memory items scanned : 428 Memory threats detected : 0 Registry items scanned : 6176 Registry threats detected : 112 File items scanned : 95255 File threats detected : 56 Adware.MyWebSearch HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D} HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D} HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D} HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32 HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL HKLM\Software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32 HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL HKU\S-1-5-21-1960408961-448539723-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} HKU\S-1-5-21-1960408961-448539723-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} HKU\S-1-5-21-1960408961-448539723-725345543-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D} Adware.MyWebSearch/FunWebProducts HKU\S-1-5-21-1960408961-448539723-725345543-1006\SOFTWARE\MyWebSearch HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA} HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Control HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32 HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus\1 HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\ProgID HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Programmable HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\TypeLib HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Version HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\VersionIndependentProgID HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories\{00021493-0000-0000-C000-000000000046} HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32 HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32#ThreadingModel HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance#CLSID HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance\InitPropertyBag HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance\InitPropertyBag#Url HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5} HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32 HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32#ThreadingModel HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\ProgID HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\Programmable HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\TypeLib HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\VersionIndependentProgID HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9} HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Control HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32 HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32#ThreadingModel HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1 HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Version HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Control HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32 HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32#ThreadingModel HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1 HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\ProgID HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Version HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\VersionIndependentProgID HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9} HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Control HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32 HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32#ThreadingModel HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1 HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Version HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179} HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC} HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32 HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32#ThreadingModel HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\ProgID HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\Programmable HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\VersionIndependentProgID HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E} HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0 HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0 HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32 HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32 HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Type HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Start HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#DisplayName HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ObjectName HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Security HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Security#Security HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#NextInstance Adware.Tracking Cookie www3.addfreestats.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .videoegg.adbureau.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .imrworldwide.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .imrworldwide.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] www.burstbeacon.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] tracker.mediatracker.co.nz [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .roiservice.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .gaiainteractive.112.2o7.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] server.cpmstar.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .stats.adbrite.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .interclick.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .interclick.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .interclick.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .insightexpressai.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .earthlinkfinder.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .specificclick.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .aaotracker.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .aaotracker.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .adlegend.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .adlegend.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .atwola.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] www8.addfreestats.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] www7.addfreestats.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] ads.gamesbannernet.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] ads.gamesbannernet.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .apmebf.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .nextag.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .nextag.com [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .collective-media.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] .collective-media.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\3ju4bzep.default\cookies.txt ] C:\Documents and Settings\David\Cookies\[email protected][1].txt C:\Documents and Settings\Leanne\Cookies\[email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][2].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][2].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][2].txt C:\Documents and Settings\user pc\Cookies\user [email protected][2].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt C:\Documents and Settings\user pc\Cookies\user [email protected][1].txt Malwarebytes' Anti-Malware 1.34 Database version: 1866 Windows 5.1.2600 Service Pack 3 3/18/2009 6:58:30 PM mbam-log-2009-03-18 (18-58-30).txt Scan type: Quick Scan Objects scanned: 93990 Time elapsed: 10 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 27 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Delete on reboot. HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:15:54 PM, on 3/18/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Creative\Shared Files\CTDevSrv.exe C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\wanmpsvc.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\Tablet.exe C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Trend Micro\HijackThis\Sniper.exe.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-21-1960408961-448539723-725345543-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'user pc') O4 - HKUS\S-1-5-21-1960408961-448539723-725345543-1003\..\Run: [dll] rundll32 dll32,sm (User 'user pc') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175397160937 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 9028 bytes AVG Anti-Virus free edition "scan whole computer" report: 8.0.238 "C:\Documents and Settings\user pc\Local Settings\Temp\tt_1237291175.exe";"Trojan horse SHeur2.WHB";"Moved to Virus Vault" "C:\Documents and Settings\user pc\Local Settings\Temp\tt_1237294987.exe";"Trojan horse SHeur2.WHB";"Moved to Virus Vault" "C:\Documents and Settings\user pc\Local Settings\Temp\wJQs.exe";"Trojan horse SHeur2.QVU";"Moved to Virus Vault" "C:\windows\ld02.exe";"Trojan horse SHeur2.WGW";"Moved to Virus Vault" "C:\windows\pp03.exe";"Trojan horse SHeur2.WHP";"Moved to Virus Vault" "C:\windows\pp03.exe";"Trojan horse SHeur2.WHP";"Moved to Virus Vault" "C:\WINDOWS\pp03.exe";"Trojan horse SHeur2.WHP";"Moved to Virus Vault" "C:\WINDOWS\pp03.exe (172)";"Trojan horse SHeur2.WHP";"Reboot is required to finish the action" "C:\WINDOWS\system32\dll32.dll";"Trojan horse Pakes.CTG";"Moved to Virus Vault" "C:\WINDOWS\system32\dll32.dll";"Trojan horse Pakes.CTG";"Infected" "C:\WINDOWS\system32\rundll32.exe (208)";"Trojan horse Pakes.CTG";"Reboot is required to finish the action" Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there)
Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixFor some reason, I am unable to disable the Anti-Virus and Anti-Spyware components of the AVG free edition. There's nothing to uncheck Just right click the AVG tray icon and choose to stop or exit. Run ComboFix and if anything tries to stop it from running then just allow it instead of blocking it.ComboFix 09-03-18.01 - Becky 2009-03-19 0:49:11.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1182 [GMT -4:00] Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning ENABLED* (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Documents\notepad.exe c:\documents and settings\Becky\Desktop\notepad.exe c:\documents and settings\user pc\Desktop\notepad.exe c:\documents and settings\user pc\Desktop\Shared\b.bking\desktop_.ini c:\windows\a3kebook.ini c:\windows\akebook.ini c:\windows\ANS2000.INI c:\windows\system32\mdm.exe . ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 ))))))))))))))))))))))))))))))) . 2009-03-18 19:09 . 2009-03-18 19:09 410,984 --a------ c:\windows\system32\deploytk.dll 2009-03-18 18:42 . 2009-03-18 18:42 d-------- c:\documents and settings\Becky\Application Data\Malwarebytes 2009-03-18 18:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-18 18:41 . 2009-03-18 18:42 d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-18 18:41 . 2009-03-18 18:41 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-18 18:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\program files\SUPERAntiSpyware 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\program files\Common Files\Wise Installation Wizard 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\documents and settings\Becky\Application Data\SUPERAntiSpyware.com 2009-03-18 15:04 . 2009-03-18 15:04 d-------- c:\program files\CCleaner 2009-03-17 16:44 . 2009-03-17 16:44 d--hs---- C:\found.000 2009-03-17 15:50 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll 2009-03-17 15:50 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe 2009-03-17 15:50 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe 2009-03-17 15:50 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll 2009-03-17 15:50 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys 2009-03-17 15:50 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll 2009-03-17 15:50 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys 2009-03-17 15:50 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys 2009-03-17 15:50 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys 2009-03-17 15:50 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll 2009-03-17 15:50 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe 2009-03-17 15:48 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll 2009-03-17 15:47 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll 2009-03-17 15:46 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys 2009-03-17 15:45 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys 2009-03-17 15:44 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys 2009-03-17 15:43 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll 2009-03-17 15:42 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll 2009-03-17 15:41 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys 2009-03-17 15:40 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys 2009-03-17 15:33 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys 2009-03-17 15:32 . 2001-08-17 14:55 382,592 --a--c--- c:\windows\system32\dllcache\atidrab.dll 2009-03-17 15:31 . 2001-08-17 12:19 747,392 --a--c--- c:\windows\system32\dllcache\adm8830.sys 2009-03-17 15:30 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys 2009-03-17 15:30 . 2001-08-17 14:55 689,216 --a--c--- c:\windows\system32\dllcache\3dfxvs.dll 2009-03-17 15:30 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll 2009-03-17 15:30 . 2008-04-13 14:46 53,376 --a--c--- c:\windows\system32\dllcache\1394bus.sys 2009-03-17 15:30 . 2001-08-17 14:06 11,264 --a--c--- c:\windows\system32\dllcache\1394vdbg.sys 2009-03-17 00:05 . 2009-03-17 00:05 0 --a------ c:\windows\system32\nfr.gpref 2009-03-17 00:05 . 2009-03-17 00:05 0 --a------ c:\windows\system32\nfr.assembly 2009-03-16 23:50 . 2009-03-16 23:50 1 --a------ c:\windows\9g234sdfdfgjf23 2009-03-16 22:24 . 2009-03-16 22:24 2 ---h----- c:\windows\t55ft2807f44.dat 2009-03-11 21:16 . 2009-03-11 21:16 d-------- c:\documents and settings\David\Application Data\AVGTOOLBAR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-19 04:11 --------- d-----w c:\documents and settings\user pc\Application Data\WTablet 2009-03-18 23:12 --------- d-----w c:\program files\Java 2009-03-18 19:00 --------- d-----w c:\program files\Lavasoft 2009-03-18 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-17 16:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-03-17 09:26 --------- d-----w c:\documents and settings\user pc\Application Data\uTorrent 2009-03-15 21:35 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-03-15 21:34 202,352 ----a-w c:\windows\system32\PnkBstrB.exe 2009-03-15 04:15 --------- d-----w c:\documents and settings\user pc\Application Data\DVD Flick 2009-03-15 01:38 --------- d-----w c:\documents and settings\user pc\Application Data\dvdcss 2009-03-07 17:20 --------- d-----w c:\program files\Ahead 2009-02-26 18:41 --------- d-----w c:\documents and settings\user pc\Application Data\ZoomBrowser EX 2009-02-26 18:41 --------- d-----w c:\documents and settings\user pc\Application Data\CameraWindowDC 2009-02-25 15:41 --------- d-----w c:\documents and settings\user pc\Application Data\AVGTOOLBAR 2009-02-12 16:12 --------- d-----w c:\program files\Google 2009-02-11 02:24 34 ----a-w c:\documents and settings\user pc\jagex_runescape_preferences.dat 2009-02-10 04:35 --------- d-----w c:\documents and settings\Leanne\Application Data\AVGTOOLBAR 2009-02-10 04:19 --------- d-----w c:\documents and settings\Leanne\Application Data\vlc 2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys 2009-02-09 03:08 --------- d-----w c:\documents and settings\Leanne\Application Data\Apple Computer 2009-02-09 02:56 --------- d-----w c:\documents and settings\Leanne\Application Data\WTablet 2009-02-09 02:56 --------- d-----w c:\documents and settings\Leanne\Application Data\Network Associates 2009-02-09 02:42 --------- d-----w c:\documents and settings\Becky\Application Data\AVGTOOLBAR 2009-02-09 02:38 --------- d-----w c:\documents and settings\Becky\Application Data\vlc 2009-02-05 18:37 --------- d-----w c:\documents and settings\user pc\Application Data\vlc 2009-02-05 18:16 --------- d-----w c:\program files\VideoLAN 2009-02-03 19:16 --------- d-----w c:\program files\Improvisation 2009-01-27 15:56 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-01-27 15:56 10,520 ----a-w c:\windows\system32\avgrsstx.dll 2009-01-27 15:55 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-01-25 05:54 --------- d-----w c:\documents and settings\user pc\Application Data\Any VIDEO Converter 2009-01-24 22:06 --------- d-----w c:\program files\AVG 2009-01-24 21:59 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-01-24 21:59 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2009-01-24 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles 2008-09-27 02:22 24 ----a-w c:\documents and settings\David\jagex_runescape_preferences.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-31 180269] "McAfeeFireTray"="c:\progra~1\NETWOR~1\MCAFEE~1\Firetray.exe" [2005-04-12 655420] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888] "NvMediaCenter"="NvMCTray.dll" [2008-05-03 c:\windows\system32\nvmctray.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-01-27 11:56 10520 c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk backup=c:\windows\pss\Personal Coach.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTZDetec.exe] --a------ 2007-12-18 15:20 401408 c:\documents and settings\user pc\Desktop\David\Creative Media Lite\CTZDetec.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-04-04 19:00 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-03 06:46 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "80:TCP"= 80:TCP:dll32 "7171:TCP"= 7171:TCP:dll32 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-24 325128] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-24 107272] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-24 903960] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-24 298264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408] . Contents of the 'Scheduled Tasks' folder 2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2009-03-17 c:\windows\Tasks\Uniblue SpyEraser Nag.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [] 2007-09-04 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe MSConfigStartUp-DT Task - c:\program files\Gateway\EzTune\DTHtml.exe MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe . ------- Supplementary Scan ------- . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\v0zlm1jn.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-19 00:52:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\SrchAstt\\1.bin\\MWSSRCAS.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\Programmable] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\MWSBAR.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Control] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\MWSBAR.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus] DACL=(02 0000) ="0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\ProgID] DACL=(02 0000) ="MyWebSearchToolBar.SettingsPlugin.1" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Programmable] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\TypeLib] DACL=(02 0000) ="{07B18EA0-A523-4961-B6BB-170DE4475CCA}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Version] DACL=(02 0000) ="1.0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\VersionIndependentProgID] DACL=(02 0000) ="MyWebSearchToolBar.SettingsPlugin" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32] DACL=(02 0000) ="c:\\WINDOWS\\system32\\shdocvw.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance] DACL=(02 0000) "CLSID"="{4D5C8C2A-D075-11d0-B416-00C04FB90376}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\MWSBAR.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\ProgID] DACL=(02 0000) ="MyWebSearchToolBar.ToolbarPlugin.1" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\Programmable] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\TypeLib] DACL=(02 0000) ="{07B18EA0-A523-4961-B6BB-170DE4475CCA}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\VersionIndependentProgID] DACL=(02 0000) ="MyWebSearchToolBar.ToolbarPlugin" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Control] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\M3SKIN.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus] DACL=(02 0000) ="0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib] DACL=(02 0000) ="{7473D290-B7BB-4f24-AE82-7E2CE94BB6A9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Version] DACL=(02 0000) ="1.0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Control] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\M3SKIN.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus] DACL=(02 0000) ="0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\ProgID] DACL=(02 0000) ="MyWebSearch.PseudoTransparentPlugin.1" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib] DACL=(02 0000) ="{7473D290-B7BB-4f24-AE82-7E2CE94BB6A9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Version] DACL=(02 0000) ="1.0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\VersionIndependentProgID] DACL=(02 0000) ="MyWebSearch.PseudoTransparentPlugin" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Control] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\M3SKIN.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus] DACL=(02 0000) ="0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib] DACL=(02 0000) ="{7473D290-B7BB-4f24-AE82-7E2CE94BB6A9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Version] DACL=(02 0000) ="1.0" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs] DACL=(02 0000) ="{A9571378-68A1-443d-B082-284F960C6D17}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\M3OUTLCN.DLL" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\ProgID] DACL=(02 0000) ="MyWebSearch.OutlookAddin.1" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\Programmable] DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\VersionIndependentProgID] DACL=(02 0000) ="MyWebSearch.OutlookAddin" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid] DACL=(02 0000) ="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32] DACL=(02 0000) ="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib] DACL=(02 0000) ="{D518921A-4A03-425E-9873-B9A71756821E}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0] DACL=(02 0000) ="HtmldocPlugin 1.0 Type Library" [HKEY_LOCAL_MACHINE\software\PortraitDisplays\DisplayTune\MGJ74D0C06550] DACL=(02 0000) "Analog 0.700,0.300Caps"="vcp(02 04 05 06 08 0E 10 12 14(01 05 08 0B) 16 18 1A 1E 20 30 3E 52 60(01 03) 68 AC AE B2 B6 C0 C6 C8 C9 CA D6(01 04) DF FA FB FC FD FE AA(01 04)) vcp_p2(37 38 39 3B) type(LCD) mccs_ver(2.0) asset_eep(64) mpu(0.04)" [HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_045e&Pid_00f9&MI_01&Col02\7&36e0efb9&0&0001\LogConf] DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(644) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-03-19 0:54:11 ComboFix-quarantined-files.txt 2009-03-19 04:54:07 Pre-Run: 31,787,245,568 bytes free Post-Run: 32,360,882,176 bytes free CURRENT=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 376 --- E O F --- 2009-03-13 22:12:01 I just did a search about the original error I received: "error loading dll32". I saw somebody's response to their browser not being able to access the internet (like my problem). Apparently changed the proxy settings (which I had no idea what that was, but Googled and found how to change them on firefox). I looked at the proxy settings on an uncorrupted user account and saw how they were set "No Proxy". My corrupted user account was set for manual with a particular port. When I changed it to "No Proxy", voila, internet access. Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: RegLock:: [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\Programmable] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Control] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\ProgID] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Programmable] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\TypeLib] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Version] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\VersionIndependentProgID] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\ProgID] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\Programmable] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\TypeLib] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\VersionIndependentProgID] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Control] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Version] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Control] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\ProgID] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Version] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\VersionIndependentProgID] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Control] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Programmable] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Version] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\ProgID] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\Programmable] [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\VersionIndependentProgID] [-HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid] [-HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32] [-HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib] Folder:: C:\found.000 c:\windows\system32\nfr.gpref c:\windows\system32\nfr.assembly c:\windows\9g234sdfdfgjf23 File:: c:\windows\system32\nfr.assembly C:\found.000 c:\windows\t55ft2807f44.dat Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "80:TCP"=- "7171:TCP"=- 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ComboFix 09-03-18.01 - Becky 2009-03-19 11:37:10.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1092 [GMT -4:00] Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Becky\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) * Created a new restore point FILE :: C:\found.000 c:\windows\system32\nfr.assembly c:\windows\t55ft2807f44.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Becky\Desktop\notepad.exe C:\found.000 c:\found.000\file0000.chk c:\windows\9g234sdfdfgjf23\ c:\windows\system32\nfr.assembly c:\windows\system32\nfr.gpref\ c:\windows\t55ft2807f44.dat . ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 ))))))))))))))))))))))))))))))) . 2009-03-18 19:09 . 2009-03-18 19:09 410,984 --a------ c:\windows\system32\deploytk.dll 2009-03-18 18:42 . 2009-03-18 18:42 d-------- c:\documents and settings\Becky\Application Data\Malwarebytes 2009-03-18 18:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-18 18:41 . 2009-03-18 18:42 d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-18 18:41 . 2009-03-18 18:41 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-18 18:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\program files\SUPERAntiSpyware 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\program files\Common Files\Wise Installation Wizard 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\documents and settings\Becky\Application Data\SUPERAntiSpyware.com 2009-03-18 15:04 . 2009-03-18 15:04 d-------- c:\program files\CCleaner 2009-03-17 15:50 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll 2009-03-17 15:50 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe 2009-03-17 15:50 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe 2009-03-17 15:50 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll 2009-03-17 15:50 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys 2009-03-17 15:50 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll 2009-03-17 15:50 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys 2009-03-17 15:50 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys 2009-03-17 15:50 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys 2009-03-17 15:50 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll 2009-03-17 15:50 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe 2009-03-17 15:48 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll 2009-03-17 15:47 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll 2009-03-17 15:46 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys 2009-03-17 15:45 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys 2009-03-17 15:44 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys 2009-03-17 15:43 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll 2009-03-17 15:42 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll 2009-03-17 15:41 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys 2009-03-17 15:40 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys 2009-03-17 15:33 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys 2009-03-17 15:32 . 2001-08-17 14:55 382,592 --a--c--- c:\windows\system32\dllcache\atidrab.dll 2009-03-17 15:31 . 2001-08-17 12:19 747,392 --a--c--- c:\windows\system32\dllcache\adm8830.sys 2009-03-17 15:30 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys 2009-03-17 15:30 . 2001-08-17 14:55 689,216 --a--c--- c:\windows\system32\dllcache\3dfxvs.dll 2009-03-17 15:30 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll 2009-03-17 15:30 . 2008-04-13 14:46 53,376 --a--c--- c:\windows\system32\dllcache\1394bus.sys 2009-03-17 15:30 . 2001-08-17 14:06 11,264 --a--c--- c:\windows\system32\dllcache\1394vdbg.sys 2009-03-17 00:05 . 2009-03-17 00:05 0 --a------ c:\windows\system32\nfr.gpref 2009-03-16 23:50 . 2009-03-16 23:50 1 --a------ c:\windows\9g234sdfdfgjf23 2009-03-11 21:16 . 2009-03-11 21:16 d-------- c:\documents and settings\David\Application Data\AVGTOOLBAR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-19 15:29 --------- d-----w c:\documents and settings\user pc\Application Data\WTablet 2009-03-18 23:12 --------- d-----w c:\program files\Java 2009-03-18 19:00 --------- d-----w c:\program files\Lavasoft 2009-03-18 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-17 16:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-03-17 09:26 --------- d-----w c:\documents and settings\user pc\Application Data\uTorrent 2009-03-15 21:35 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-03-15 04:15 --------- d-----w c:\documents and settings\user pc\Application Data\DVD Flick 2009-03-15 01:38 --------- d-----w c:\documents and settings\user pc\Application Data\dvdcss 2009-03-07 17:20 --------- d-----w c:\program files\Ahead 2009-02-26 18:41 --------- d-----w c:\documents and settings\user pc\Application Data\ZoomBrowser EX 2009-02-26 18:41 --------- d-----w c:\documents and settings\user pc\Application Data\CameraWindowDC 2009-02-25 15:41 --------- d-----w c:\documents and settings\user pc\Application Data\AVGTOOLBAR 2009-02-12 16:12 --------- d-----w c:\program files\Google 2009-02-11 02:24 34 ----a-w c:\documents and settings\user pc\jagex_runescape_preferences.dat 2009-02-10 04:35 --------- d-----w c:\documents and settings\Leanne\Application Data\AVGTOOLBAR 2009-02-10 04:19 --------- d-----w c:\documents and settings\Leanne\Application Data\vlc 2009-02-09 03:08 --------- d-----w c:\documents and settings\Leanne\Application Data\Apple Computer 2009-02-09 02:56 --------- d-----w c:\documents and settings\Leanne\Application Data\WTablet 2009-02-09 02:56 --------- d-----w c:\documents and settings\Leanne\Application Data\Network Associates 2009-02-09 02:42 --------- d-----w c:\documents and settings\Becky\Application Data\AVGTOOLBAR 2009-02-09 02:38 --------- d-----w c:\documents and settings\Becky\Application Data\vlc 2009-02-05 18:37 --------- d-----w c:\documents and settings\user pc\Application Data\vlc 2009-02-05 18:16 --------- d-----w c:\program files\VideoLAN 2009-02-03 19:16 --------- d-----w c:\program files\Improvisation 2009-01-27 15:56 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-01-27 15:55 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-01-25 05:54 --------- d-----w c:\documents and settings\user pc\Application Data\Any Video Converter 2009-01-24 22:06 --------- d-----w c:\program files\AVG 2009-01-24 21:59 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-01-24 21:59 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2009-01-24 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles 2008-09-27 02:22 24 ----a-w c:\documents and settings\David\jagex_runescape_preferences.dat . ((((((((((((((((((((((((((((( [email protected]_ 0.53.12.29 ))))))))))))))))))))))))))))))))))))))))) . - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\admxprox.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\admxprox.dll - 2002-08-29 12:00:00 49,664 -c--a-w c:\windows\system32\dllcache\adrot.dll + 2004-08-04 01:07:00 49,664 -c--a-w c:\windows\system32\dllcache\adrot.dll - 2002-08-29 12:00:00 10,240 -c--a-w c:\windows\system32\dllcache\aspperf.dll + 2004-08-04 01:07:00 10,240 -c--a-w c:\windows\system32\dllcache\aspperf.dll - 2002-08-29 12:00:00 29,184 -c--a-w c:\windows\system32\dllcache\asptxn.dll + 2004-08-04 01:07:00 29,184 -c--a-w c:\windows\system32\dllcache\asptxn.dll - 2002-08-29 12:00:00 9,216 -c--a-w c:\windows\system32\dllcache\authfilt.dll + 2004-08-04 01:07:00 9,216 -c--a-w c:\windows\system32\dllcache\authfilt.dll - 2002-08-29 12:00:00 45,568 -c--a-w c:\windows\system32\dllcache\browscap.dll + 2004-08-04 01:07:00 45,568 -c--a-w c:\windows\system32\dllcache\browscap.dll - 2002-08-29 12:00:00 6,656 -c--a-w c:\windows\system32\dllcache\c_is2022.dll + 2004-08-04 01:07:00 6,656 -c--a-w c:\windows\system32\dllcache\c_is2022.dll - 2002-08-29 12:00:00 10,752 -c--a-w c:\windows\system32\dllcache\c_iscii.dll + 2004-08-04 01:07:00 10,752 -c--a-w c:\windows\system32\dllcache\c_iscii.dll - 2002-08-29 12:00:00 54,528 -c--a-w c:\windows\system32\dllcache\cap7146.sys + 2004-08-04 01:07:00 54,528 -c--a-w c:\windows\system32\dllcache\cap7146.sys - 2002-08-29 12:00:00 9,728 -c--a-w c:\windows\system32\dllcache\change.exe + 2004-08-04 01:07:00 9,728 -c--a-w c:\windows\system32\dllcache\change.exe - 2002-08-29 12:00:00 13,312 -c--a-w c:\windows\system32\dllcache\chglogon.exe + 2004-08-04 01:07:00 13,312 -c--a-w c:\windows\system32\dllcache\chglogon.exe - 2002-08-29 12:00:00 15,872 -c--a-w c:\windows\system32\dllcache\chgport.exe + 2004-08-04 01:07:00 15,872 -c--a-w c:\windows\system32\dllcache\chgport.exe - 2002-08-29 12:00:00 14,336 -c--a-w c:\windows\system32\dllcache\chgusr.exe + 2004-08-04 01:07:00 14,336 -c--a-w c:\windows\system32\dllcache\chgusr.exe - 2002-08-29 12:00:00 1,677,824 -c--a-w c:\windows\system32\dllcache\chsbrkr.dll + 2004-08-04 01:07:00 1,677,824 -c--a-w c:\windows\system32\dllcache\chsbrkr.dll - 2002-08-29 12:00:00 838,144 -c--a-w c:\windows\system32\dllcache\chtbrkr.dll + 2004-08-04 01:07:00 838,144 -c--a-w c:\windows\system32\dllcache\chtbrkr.dll - 2002-08-29 12:00:00 33,792 -c--a-w c:\windows\system32\dllcache\controt.dll + 2004-08-04 01:07:00 33,792 -c--a-w c:\windows\system32\dllcache\controt.dll - 2002-08-29 12:00:00 56,320 -c--a-w c:\windows\system32\dllcache\convlog.exe + 2004-08-04 01:07:00 56,320 -c--a-w c:\windows\system32\dllcache\convlog.exe - 2002-08-29 12:00:00 20,480 -c--a-w c:\windows\system32\dllcache\counters.dll + 2004-08-04 01:07:00 20,480 -c--a-w c:\windows\system32\dllcache\counters.dll - 2002-08-29 12:00:00 18,944 -c--a-w c:\windows\system32\dllcache\cprofile.exe + 2004-08-04 01:07:00 18,944 -c--a-w c:\windows\system32\dllcache\cprofile.exe - 2002-08-29 12:00:00 31,744 -c--a-w c:\windows\system32\dllcache\esucmd.dll + 2004-08-04 01:07:00 31,744 -c--a-w c:\windows\system32\dllcache\esucmd.dll - 2002-08-29 12:00:00 57,856 -c--a-w c:\windows\system32\dllcache\esuimgd.dll + 2004-08-04 01:07:00 57,856 -c--a-w c:\windows\system32\dllcache\esuimgd.dll - 2002-08-29 12:00:00 45,056 -c--a-w c:\windows\system32\dllcache\esunid.dll + 2004-08-04 01:07:00 45,056 -c--a-w c:\windows\system32\dllcache\esunid.dll - 2002-08-29 12:00:00 25,856 -c--a-w c:\windows\system32\dllcache\et4000.sys + 2004-08-04 01:07:00 25,856 -c--a-w c:\windows\system32\dllcache\et4000.sys - 2002-08-29 12:00:00 14,848 -c--a-w c:\windows\system32\dllcache\flattemp.exe + 2004-08-04 01:07:00 14,848 -c--a-w c:\windows\system32\dllcache\flattemp.exe - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\ftlx041e.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\ftlx041e.dll - 2002-08-29 12:00:00 7,680 -c--a-w c:\windows\system32\dllcache\ftpctrs2.dll + 2004-08-04 01:07:00 7,680 -c--a-w c:\windows\system32\dllcache\ftpctrs2.dll - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\ftpsapi2.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\ftpsapi2.dll - 2002-08-29 12:00:00 111,104 -c--a-w c:\windows\system32\dllcache\fxscfgwz.dll + 2004-08-04 01:07:00 111,104 -c--a-w c:\windows\system32\dllcache\fxscfgwz.dll - 2002-08-29 12:00:00 132,608 -c--a-w c:\windows\system32\dllcache\fxsclntr.dll + 2004-08-04 01:07:00 132,608 -c--a-w c:\windows\system32\dllcache\fxsclntr.dll - 2002-08-29 12:00:00 31,744 -c--a-w c:\windows\system32\dllcache\fxsroute.dll + 2004-08-04 01:07:00 31,744 -c--a-w c:\windows\system32\dllcache\fxsroute.dll - 2002-08-29 12:00:00 11,264 -c--a-w c:\windows\system32\dllcache\fxssend.exe + 2004-08-04 01:07:00 11,264 -c--a-w c:\windows\system32\dllcache\fxssend.exe - 2002-08-29 12:00:00 36,864 -c--a-w c:\windows\system32\dllcache\hanjadic.dll + 2004-08-04 01:07:00 36,864 -c--a-w c:\windows\system32\dllcache\hanjadic.dll - 2002-08-29 12:00:00 10,096,640 -c--a-w c:\windows\system32\dllcache\hwxcht.dll + 2004-08-04 01:07:00 10,096,640 -c--a-w c:\windows\system32\dllcache\hwxcht.dll - 2002-08-29 12:00:00 10,129,408 -c--a-w c:\windows\system32\dllcache\hwxkor.dll + 2004-08-04 01:07:00 10,129,408 -c--a-w c:\windows\system32\dllcache\hwxkor.dll - 2002-08-29 12:00:00 60,928 -c--a-w c:\windows\system32\dllcache\iisclex4.dll + 2004-08-04 01:07:00 60,928 -c--a-w c:\windows\system32\dllcache\iisclex4.dll - 2002-08-29 12:00:00 19,456 -c--a-w c:\windows\system32\dllcache\iiscrmap.dll + 2004-08-04 01:07:00 19,456 -c--a-w c:\windows\system32\dllcache\iiscrmap.dll - 2002-08-29 12:00:00 3,584 -c--a-w c:\windows\system32\dllcache\iismui.dll + 2004-08-04 01:07:00 3,584 -c--a-w c:\windows\system32\dllcache\iismui.dll - 2002-08-29 12:00:00 14,336 -c--a-w c:\windows\system32\dllcache\iisreset.exe + 2004-08-04 01:07:00 14,336 -c--a-w c:\windows\system32\dllcache\iisreset.exe - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\iisrstap.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\iisrstap.dll - 2002-08-29 12:00:00 6,656 -c--a-w c:\windows\system32\dllcache\iissync.exe + 2004-08-04 01:07:00 6,656 -c--a-w c:\windows\system32\dllcache\iissync.exe - 2002-08-29 12:00:00 169,984 -c--a-w c:\windows\system32\dllcache\iisui.dll + 2004-08-04 01:07:00 169,984 -c--a-w c:\windows\system32\dllcache\iisui.dll - 2002-08-29 12:00:00 44,032 -c--a-w c:\windows\system32\dllcache\imekrmig.exe + 2004-08-04 01:07:00 44,032 -c--a-w c:\windows\system32\dllcache\imekrmig.exe - 2002-08-29 12:00:00 102,463 -c--a-w c:\windows\system32\dllcache\imepadsm.dll + 2004-08-04 01:07:00 102,463 -c--a-w c:\windows\system32\dllcache\imepadsm.dll - 2002-08-29 12:00:00 311,359 -c--a-w c:\windows\system32\dllcache\imepadsv.exe + 2004-08-04 01:07:00 311,359 -c--a-w c:\windows\system32\dllcache\imepadsv.exe - 2002-08-29 12:00:00 57,398 -c--a-w c:\windows\system32\dllcache\imjpdadm.exe + 2004-08-04 01:07:00 57,398 -c--a-w c:\windows\system32\dllcache\imjpdadm.exe - 2002-08-29 12:00:00 45,109 -c--a-w c:\windows\system32\dllcache\imjpuex.exe + 2004-08-04 01:07:00 45,109 -c--a-w c:\windows\system32\dllcache\imjpuex.exe - 2002-08-29 12:00:00 59,904 -c--a-w c:\windows\system32\dllcache\imkrinst.exe + 2004-08-04 01:07:00 59,904 -c--a-w c:\windows\system32\dllcache\imkrinst.exe - 2002-08-29 12:00:00 471,102 -c--a-w c:\windows\system32\dllcache\imskdic.dll + 2004-08-04 01:07:00 471,102 -c--a-w c:\windows\system32\dllcache\imskdic.dll - 2002-08-29 12:00:00 7,680 -c--a-w c:\windows\system32\dllcache\inetmgr.exe + 2004-08-04 01:07:00 7,680 -c--a-w c:\windows\system32\dllcache\inetmgr.exe - 2002-08-29 12:00:00 19,968 -c--a-w c:\windows\system32\dllcache\inetsloc.dll + 2004-08-04 01:07:00 19,968 -c--a-w c:\windows\system32\dllcache\inetsloc.dll - 2002-08-29 12:00:00 8,704 -c--a-w c:\windows\system32\dllcache\infoctrs.dll + 2004-08-04 01:07:00 8,704 -c--a-w c:\windows\system32\dllcache\infoctrs.dll - 2002-08-29 12:00:00 7,168 -c--a-w c:\windows\system32\dllcache\isapips.dll + 2004-08-04 01:07:00 7,168 -c--a-w c:\windows\system32\dllcache\isapips.dll - 2002-08-29 12:00:00 9,216 -c--a-w c:\windows\system32\dllcache\iwrps.dll + 2004-08-04 01:07:00 9,216 -c--a-w c:\windows\system32\dllcache\iwrps.dll - 2002-08-29 12:00:00 18,432 -c--a-w c:\windows\system32\dllcache\jupiw.dll + 2004-08-04 01:07:00 18,432 -c--a-w c:\windows\system32\dllcache\jupiw.dll - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\kbd101a.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\kbd101a.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbda1.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbda1.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbda2.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbda2.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbda3.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbda3.dll - 2002-08-29 12:00:00 5,120 -c--a-w c:\windows\system32\dllcache\kbdarme.dll + 2004-08-04 01:07:00 5,120 -c--a-w c:\windows\system32\dllcache\kbdarme.dll - 2002-08-29 12:00:00 5,120 -c--a-w c:\windows\system32\dllcache\kbdarmw.dll + 2004-08-04 01:07:00 5,120 -c--a-w c:\windows\system32\dllcache\kbdarmw.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbddiv1.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbddiv1.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbddiv2.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbddiv2.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdfa.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdfa.dll - 2002-08-29 12:00:00 5,120 -c--a-w c:\windows\system32\dllcache\kbdgeo.dll + 2004-08-04 01:07:00 5,120 -c--a-w c:\windows\system32\dllcache\kbdgeo.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdheb.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdheb.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdindev.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdindev.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinguj.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinguj.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinhin.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinhin.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinkan.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinkan.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinmar.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdinmar.dll - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\kbdinpun.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\kbdinpun.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdintam.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdintam.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdintel.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdintel.dll - 2002-08-29 12:00:00 7,168 -c--a-w c:\windows\system32\dllcache\kbdnec95.dll + 2004-08-04 01:07:00 7,168 -c--a-w c:\windows\system32\dllcache\kbdnec95.dll - 2002-08-29 12:00:00 9,216 -c--a-w c:\windows\system32\dllcache\kbdnecat.dll + 2004-08-04 01:07:00 9,216 -c--a-w c:\windows\system32\dllcache\kbdnecat.dll - 2002-08-29 12:00:00 7,680 -c--a-w c:\windows\system32\dllcache\kbdnecnt.dll + 2004-08-04 01:07:00 7,680 -c--a-w c:\windows\system32\dllcache\kbdnecnt.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdsyr1.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdsyr1.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdsyr2.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdsyr2.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdth0.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdth0.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdth1.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdth1.dll - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\kbdth2.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\kbdth2.dll - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\kbdth3.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\kbdth3.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdurdu.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdurdu.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdusa.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdusa.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdvntc.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\kbdvntc.dll - 2002-08-29 12:00:00 70,656 -c--a-w c:\windows\system32\dllcache\korwbrkr.dll + 2004-08-04 01:07:00 70,656 -c--a-w c:\windows\system32\dllcache\korwbrkr.dll - 2002-08-29 12:00:00 22,016 -c--a-w c:\windows\system32\dllcache\logscrpt.dll + 2004-08-04 01:07:00 22,016 -c--a-w c:\windows\system32\dllcache\logscrpt.dll - 2002-08-29 12:00:00 26,624 -c--a-w c:\windows\system32\dllcache\mdsync.dll + 2004-08-04 01:07:00 26,624 -c--a-w c:\windows\system32\dllcache\mdsync.dll - 2002-08-29 12:00:00 92,032 -c--a-w c:\windows\system32\dllcache\mga.dll + 2004-08-04 01:07:00 92,032 -c--a-w c:\windows\system32\dllcache\mga.dll - 2002-08-29 12:00:00 92,416 -c--a-w c:\windows\system32\dllcache\mga.sys + 2004-08-04 01:07:00 92,416 -c--a-w c:\windows\system32\dllcache\mga.sys - 2002-08-29 12:00:00 34,304 -c--a-w c:\windows\system32\dllcache\migisol.exe + 2004-08-04 01:07:00 34,304 -c--a-w c:\windows\system32\dllcache\migisol.exe - 2002-08-29 12:00:00 98,304 -c--a-w c:\windows\system32\dllcache\msir3jp.dll + 2004-08-04 01:07:00 98,304 -c--a-w c:\windows\system32\dllcache\msir3jp.dll - 2002-08-29 12:00:00 229,439 -c--a-w c:\windows\system32\dllcache\multibox.dll + 2004-08-04 01:07:00 229,439 -c--a-w c:\windows\system32\dllcache\multibox.dll - 2002-08-29 12:00:00 53,248 -c--a-w c:\windows\system32\dllcache\nextlink.dll + 2004-08-04 01:07:00 53,248 -c--a-w c:\windows\system32\dllcache\nextlink.dll - 2002-08-29 12:00:00 36,927 -c--a-w c:\windows\system32\dllcache\padrs411.dll + 2004-08-04 01:07:00 36,927 -c--a-w c:\windows\system32\dllcache\padrs411.dll - 2002-08-29 12:00:00 14,336 -c--a-w c:\windows\system32\dllcache\padrs412.dll + 2004-08-04 01:07:00 14,336 -c--a-w c:\windows\system32\dllcache\padrs412.dll - 2002-08-29 12:00:00 31,744 -c--a-w c:\windows\system32\dllcache\pagecnt.dll + 2004-08-04 01:07:00 31,744 -c--a-w c:\windows\system32\dllcache\pagecnt.dll - 2002-08-29 12:00:00 20,992 -c--a-w c:\windows\system32\dllcache\permchk.dll + 2004-08-04 01:07:00 20,992 -c--a-w c:\windows\system32\dllcache\permchk.dll - 2002-08-29 12:00:00 6,144 -c--a-w c:\windows\system32\dllcache\pmxgl.dll + 2004-08-04 01:07:00 6,144 -c--a-w c:\windows\system32\dllcache\pmxgl.dll - 2002-08-29 12:00:00 11,264 -c--a-w c:\windows\system32\dllcache\pmxmcro.dll + 2004-08-04 01:07:00 11,264 -c--a-w c:\windows\system32\dllcache\pmxmcro.dll - 2002-08-29 12:00:00 131,584 -c--a-w c:\windows\system32\dllcache\pmxviceo.dll + 2004-08-04 01:07:00 131,584 -c--a-w c:\windows\system32\dllcache\pmxviceo.dll - 2002-08-29 12:00:00 9,728 -c--a-w c:\windows\system32\dllcache\query.exe + 2004-08-04 01:07:00 9,728 -c--a-w c:\windows\system32\dllcache\query.exe - 2002-08-29 12:00:00 16,384 -c--a-w c:\windows\system32\dllcache\quser.exe + 2004-08-04 01:07:00 16,384 -c--a-w c:\windows\system32\dllcache\quser.exe - 2002-08-29 12:00:00 14,848 -c--a-w c:\windows\system32\dllcache\register.exe + 2004-08-04 01:07:00 14,848 -c--a-w c:\windows\system32\dllcache\register.exe - 2002-08-29 12:00:00 79,872 -c--a-w c:\windows\system32\dllcache\rwia001.dll + 2004-08-04 01:07:00 79,872 -c--a-w c:\windows\system32\dllcache\rwia001.dll - 2002-08-29 12:00:00 79,872 -c--a-w c:\windows\system32\dllcache\rwia330.dll + 2004-08-04 01:07:00 79,872 -c--a-w c:\windows\system32\dllcache\rwia330.dll - 2002-08-29 12:00:00 18,944 -c--a-w c:\windows\system32\dllcache\simptcp.dll + 2004-08-04 01:07:00 18,944 -c--a-w c:\windows\system32\dllcache\simptcp.dll - 2002-08-29 12:00:00 25,088 -c--a-w c:\windows\system32\dllcache\sm59w.dll + 2004-08-04 01:07:00 25,088 -c--a-w c:\windows\system32\dllcache\sm59w.dll - 2002-08-29 12:00:00 30,208 -c--a-w c:\windows\system32\dllcache\sm81w.dll + 2004-08-04 01:07:00 30,208 -c--a-w c:\windows\system32\dllcache\sm81w.dll - 2002-08-29 12:00:00 30,208 -c--a-w c:\windows\system32\dllcache\sm87w.dll + 2004-08-04 01:07:00 30,208 -c--a-w c:\windows\system32\dllcache\sm87w.dll - 2002-08-29 12:00:00 26,112 -c--a-w c:\windows\system32\dllcache\sm89w.dll + 2004-08-04 01:07:00 26,112 -c--a-w c:\windows\system32\dllcache\sm89w.dll - 2002-08-29 12:00:00 26,112 -c--a-w c:\windows\system32\dllcache\sm8aw.dll + 2004-08-04 01:07:00 26,112 -c--a-w c:\windows\system32\dllcache\sm8aw.dll - 2002-08-29 12:00:00 29,184 -c--a-w c:\windows\system32\dllcache\sm8cw.dll + 2004-08-04 01:07:00 29,184 -c--a-w c:\windows\system32\dllcache\sm8cw.dll - 2002-08-29 12:00:00 26,112 -c--a-w c:\windows\system32\dllcache\sm8dw.dll + 2004-08-04 01:07:00 26,112 -c--a-w c:\windows\system32\dllcache\sm8dw.dll - 2002-08-29 12:00:00 26,112 -c--a-w c:\windows\system32\dllcache\sm90w.dll + 2004-08-04 01:07:00 26,112 -c--a-w c:\windows\system32\dllcache\sm90w.dll - 2002-08-29 12:00:00 26,624 -c--a-w c:\windows\system32\dllcache\sm92w.dll + 2004-08-04 01:07:00 26,624 -c--a-w c:\windows\system32\dllcache\sm92w.dll - 2002-08-29 12:00:00 26,624 -c--a-w c:\windows\system32\dllcache\sm93w.dll + 2004-08-04 01:07:00 26,624 -c--a-w c:\windows\system32\dllcache\sm93w.dll - 2002-08-29 12:00:00 38,912 -c--a-w c:\windows\system32\dllcache\sm9aw.dll + 2004-08-04 01:07:00 38,912 -c--a-w c:\windows\system32\dllcache\sm9aw.dll - 2002-08-29 12:00:00 31,744 -c--a-w c:\windows\system32\dllcache\sma3w.dll + 2004-08-04 01:07:00 31,744 -c--a-w c:\windows\system32\dllcache\sma3w.dll - 2002-08-29 12:00:00 31,744 -c--a-w c:\windows\system32\dllcache\smb6w.dll + 2004-08-04 01:07:00 31,744 -c--a-w c:\windows\system32\dllcache\smb6w.dll - 2002-08-29 12:00:00 15,872 -c--a-w c:\windows\system32\dllcache\smierrsm.dll + 2004-08-04 01:07:00 15,872 -c--a-w c:\windows\system32\dllcache\smierrsm.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\smierrsy.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\smierrsy.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\smimsgif.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\smimsgif.dll - 2002-08-29 12:00:00 10,240 -c--a-w c:\windows\system32\dllcache\snmpstup.dll + 2004-08-04 01:07:00 10,240 -c--a-w c:\windows\system32\dllcache\snmpstup.dll - 2002-08-29 12:00:00 143,422 -c--a-w c:\windows\system32\dllcache\softkey.dll + 2004-08-04 01:07:00 143,422 -c--a-w c:\windows\system32\dllcache\softkey.dll - 2002-08-29 12:00:00 101,376 -c--a-w c:\windows\system32\dllcache\srusbusd.dll + 2004-08-04 01:07:00 101,376 -c--a-w c:\windows\system32\dllcache\srusbusd.dll - 2002-08-29 12:00:00 16,896 -c--a-w c:\windows\system32\dllcache\status.dll + 2004-08-04 01:07:00 16,896 -c--a-w c:\windows\system32\dllcache\status.dll - 2002-08-29 12:00:00 13,192 -c--a-w c:\windows\system32\dllcache\tdasync.sys + 2004-08-04 01:07:00 13,192 -c--a-w c:\windows\system32\dllcache\tdasync.sys - 2002-08-29 12:00:00 21,896 -c--a-w c:\windows\system32\dllcache\tdipx.sys + 2004-08-04 01:07:00 21,896 -c--a-w c:\windows\system32\dllcache\tdipx.sys - 2002-08-29 12:00:00 19,464 -c--a-w c:\windows\system32\dllcache\tdspx.sys + 2004-08-04 01:07:00 19,464 -c--a-w c:\windows\system32\dllcache\tdspx.sys - 2002-08-29 12:00:00 185,344 -c--a-w c:\windows\system32\dllcache\thawbrkr.dll + 2004-08-04 01:07:00 185,344 -c--a-w c:\windows\system32\dllcache\thawbrkr.dll - 2002-08-29 12:00:00 14,336 -c--a-w c:\windows\system32\dllcache\tsprof.exe + 2004-08-04 01:07:00 14,336 -c--a-w c:\windows\system32\dllcache\tsprof.exe - 2002-08-29 12:00:00 48,256 -c--a-w c:\windows\system32\dllcache\w32.dll + 2004-08-04 01:07:00 48,256 -c--a-w c:\windows\system32\dllcache\w32.dll - 2002-08-29 12:00:00 4,608 -c--a-w c:\windows\system32\dllcache\w3ctrs51.dll + 2004-08-04 01:07:00 4,608 -c--a-w c:\windows\system32\dllcache\w3ctrs51.dll - 2002-08-29 12:00:00 73,728 -c--a-w c:\windows\system32\dllcache\w3ext.dll + 2004-08-04 01:07:00 73,728 -c--a-w c:\windows\system32\dllcache\w3ext.dll - 2002-08-29 12:00:00 5,632 -c--a-w c:\windows\system32\dllcache\w3svapi.dll + 2004-08-04 01:07:00 5,632 -c--a-w c:\windows\system32\dllcache\w3svapi.dll - 2002-08-29 12:00:00 9,216 -c--a-w c:\windows\system32\dllcache\wamps51.dll + 2004-08-04 01:07:00 9,216 -c--a-w c:\windows\system32\dllcache\wamps51.dll - 2002-08-29 12:00:00 7,168 -c--a-w c:\windows\system32\dllcache\wamregps.dll + 2004-08-04 01:07:00 7,168 -c--a-w c:\windows\system32\dllcache\wamregps.dll - 2002-08-29 12:00:00 41,600 -c--a-w c:\windows\system32\dllcache\weitekp9.dll + 2004-08-04 01:07:00 41,600 -c--a-w c:\windows\system32\dllcache\weitekp9.dll - 2002-08-29 12:00:00 31,232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys + 2004-08-04 01:07:00 31,232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys + 2009-03-19 15:41:43 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6f0.dat . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-31 180269] "McAfeeFireTray"="c:\progra~1\NETWOR~1\MCAFEE~1\Firetray.exe" [2005-04-12 655420] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888] "NvMediaCenter"="NvMCTray.dll" [2008-05-03 c:\windows\system32\nvmctray.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-01-27 11:56 10520 c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk backup=c:\windows\pss\Personal Coach.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTZDetec.exe] --a------ 2007-12-18 15:20 401408 c:\documents and settings\user pc\Desktop\David\Creative Media Lite\CTZDetec.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-04-04 19:00 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-03 06:46 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-24 325128] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-24 107272] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-24 903960] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-24 298264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408] . Contents of the 'Scheduled Tasks' folder 2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2009-03-17 c:\windows\Tasks\Uniblue SpyEraser Nag.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [] 2007-09-04 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [] . . ------- Supplementary Scan ------- . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\v0zlm1jn.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-19 11:42:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0] DACL=(02 0000) ="HtmldocPlugin 1.0 Type Library" [HKEY_LOCAL_MACHINE\software\PortraitDisplays\DisplayTune\MGJ74D0C06550] DACL=(02 0000) "Analog 0.700,0.300Caps"="vcp(02 04 05 06 08 0E 10 12 14(01 05 08 0B) 16 18 1A 1E 20 30 3E 52 60(01 03) 68 AC AE B2 B6 C0 C6 C8 C9 CA D6(01 04) DF FA FB FC FD FE AA(01 04)) vcp_p2(37 38 39 3B) type(LCD) mccs_ver(2.0) asset_eep(64) mpu(0.04)" [HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_045e&Pid_00f9&MI_01&Col02\7&36e0efb9&0&0001\LogConf] DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(648) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTSVCCDA.EXE c:\program files\Creative\Shared Files\CTDevSrv.exe c:\progra~1\NETWOR~1\MCAFEE~1\FireSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\Tablet.exe c:\windows\wanmpsvc.exe c:\windows\system32\WTablet\TabUserW.exe c:\windows\system32\Tablet.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-03-19 11:45:02 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-19 15:44:58 ComboFix2.txt 2009-03-19 04:54:14 Pre-Run: 32,409,468,928 bytes free Post-Run: 32,390,303,744 bytes free Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 534 --- E O F --- 2009-03-13 22:12:01 Were getting closer. Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Folder:: c:\windows\system32\nfr.gpref c:\windows\9g234sdfdfgjf23 File:: c:\windows\system32\nfr.gpref c:\windows\9g234sdfdfgjf23 RegLock:: [-HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0] [-HKEY_LOCAL_MACHINE\software\PortraitDisplays\DisplayTune\MGJ74D0C06550] [-HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_045e&Pid_00f9&MI_01&Col02\7&36e0efb9&0&0001\LogConf] 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ComboFix 09-03-18.01 - Becky 2009-03-19 14:09:30.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1096 [GMT -4:00] Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Becky\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) * Created a new restore point FILE :: c:\windows\9g234sdfdfgjf23 c:\windows\system32\nfr.gpref . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\9g234sdfdfgjf23 c:\windows\system32\nfr.gpref . ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 ))))))))))))))))))))))))))))))) . 2009-03-18 19:09 . 2009-03-18 19:09 410,984 --a------ c:\windows\system32\deploytk.dll 2009-03-18 18:42 . 2009-03-18 18:42 d-------- c:\documents and settings\Becky\Application Data\Malwarebytes 2009-03-18 18:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-18 18:41 . 2009-03-18 18:42 d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-18 18:41 . 2009-03-18 18:41 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-18 18:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\program files\SUPERAntiSpyware 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\program files\Common Files\Wise Installation Wizard 2009-03-18 15:11 . 2009-03-18 15:11 d-------- c:\documents and settings\Becky\Application Data\SUPERAntiSpyware.com 2009-03-18 15:04 . 2009-03-18 15:04 d-------- c:\program files\CCleaner 2009-03-17 15:50 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll 2009-03-17 15:50 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe 2009-03-17 15:50 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe 2009-03-17 15:50 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll 2009-03-17 15:50 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys 2009-03-17 15:50 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll 2009-03-17 15:50 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys 2009-03-17 15:50 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys 2009-03-17 15:50 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys 2009-03-17 15:50 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll 2009-03-17 15:50 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe 2009-03-17 15:48 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll 2009-03-17 15:47 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll 2009-03-17 15:46 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys 2009-03-17 15:45 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys 2009-03-17 15:44 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys 2009-03-17 15:43 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll 2009-03-17 15:42 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll 2009-03-17 15:41 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys 2009-03-17 15:40 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys 2009-03-17 15:33 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys 2009-03-17 15:32 . 2001-08-17 14:55 382,592 --a--c--- c:\windows\system32\dllcache\atidrab.dll 2009-03-17 15:31 . 2001-08-17 12:19 747,392 --a--c--- c:\windows\system32\dllcache\adm8830.sys 2009-03-17 15:30 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys 2009-03-17 15:30 . 2001-08-17 14:55 689,216 --a--c--- c:\windows\system32\dllcache\3dfxvs.dll 2009-03-17 15:30 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll 2009-03-17 15:30 . 2008-04-13 14:46 53,376 --a--c--- c:\windows\system32\dllcache\1394bus.sys 2009-03-17 15:30 . 2001-08-17 14:06 11,264 --a--c--- c:\windows\system32\dllcache\1394vdbg.sys 2009-03-11 21:16 . 2009-03-11 21:16 d-------- c:\documents and settings\David\Application Data\AVGTOOLBAR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-19 18:03 --------- d-----w c:\documents and settings\user pc\Application Data\WTablet 2009-03-18 23:12 --------- d-----w c:\program files\Java 2009-03-18 19:00 --------- d-----w c:\program files\Lavasoft 2009-03-18 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-17 16:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-03-17 09:26 --------- d-----w c:\documents and settings\user pc\Application Data\uTorrent 2009-03-15 21:35 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-03-15 04:15 --------- d-----w c:\documents and settings\user pc\Application Data\DVD Flick 2009-03-15 01:38 --------- d-----w c:\documents and settings\user pc\Application Data\dvdcss 2009-03-07 17:20 --------- d-----w c:\program files\Ahead 2009-02-26 18:41 --------- d-----w c:\documents and settings\user pc\Application Data\ZoomBrowser EX 2009-02-26 18:41 --------- d-----w c:\documents and settings\user pc\Application Data\CameraWindowDC 2009-02-25 15:41 --------- d-----w c:\documents and settings\user pc\Application Data\AVGTOOLBAR 2009-02-12 16:12 --------- d-----w c:\program files\Google 2009-02-11 02:24 34 ----a-w c:\documents and settings\user pc\jagex_runescape_preferences.dat 2009-02-10 04:35 --------- d-----w c:\documents and settings\Leanne\Application Data\AVGTOOLBAR 2009-02-10 04:19 --------- d-----w c:\documents and settings\Leanne\Application Data\vlc 2009-02-09 03:08 --------- d-----w c:\documents and settings\Leanne\Application Data\Apple Computer 2009-02-09 02:56 --------- d-----w c:\documents and settings\Leanne\Application Data\WTablet 2009-02-09 02:56 --------- d-----w c:\documents and settings\Leanne\Application Data\Network Associates 2009-02-09 02:42 --------- d-----w c:\documents and settings\Becky\Application Data\AVGTOOLBAR 2009-02-09 02:38 --------- d-----w c:\documents and settings\Becky\Application Data\vlc 2009-02-05 18:37 --------- d-----w c:\documents and settings\user pc\Application Data\vlc 2009-02-05 18:16 --------- d-----w c:\program files\VideoLAN 2009-02-03 19:16 --------- d-----w c:\program files\Improvisation 2009-01-27 15:56 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-01-27 15:55 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-01-25 05:54 --------- d-----w c:\documents and settings\user pc\Application Data\Any Video Converter 2009-01-24 22:06 --------- d-----w c:\program files\AVG 2009-01-24 21:59 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-01-24 21:59 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2009-01-24 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles 2008-09-27 02:22 24 ----a-w c:\documents and settings\David\jagex_runescape_preferences.dat . ((((((((((((((((((((((((((((( SnapShot_2009-03-19_11.44.11.57 ))))))))))))))))))))))))))))))))))))))))) . + 2009-03-19 18:13:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_780.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-31 180269] "McAfeeFireTray"="c:\progra~1\NETWOR~1\MCAFEE~1\Firetray.exe" [2005-04-12 655420] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888] "NvMediaCenter"="NvMCTray.dll" [2008-05-03 c:\windows\system32\nvmctray.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-01-27 11:56 10520 c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk backup=c:\windows\pss\Personal Coach.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTZDetec.exe] --a------ 2007-12-18 15:20 401408 c:\documents and settings\user pc\Desktop\David\Creative Media Lite\CTZDetec.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-04-04 19:00 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-03 06:46 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-24 325128] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-24 107272] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-24 903960] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-24 298264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408] . Contents of the 'Scheduled Tasks' folder 2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2009-03-17 c:\windows\Tasks\Uniblue SpyEraser Nag.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [] 2007-09-04 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [] . . ------- Supplementary Scan ------- . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\v0zlm1jn.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-19 14:14:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32] DACL=(02 0000) ="c:\\Program Files\\MyWebSearch\\bar\\1.bin\\F3REPROX.DLL" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(648) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTSVCCDA.EXE c:\program files\Creative\Shared Files\CTDevSrv.exe c:\progra~1\NETWOR~1\MCAFEE~1\FireSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\PnkBstrB.exe c:\windows\system32\Tablet.exe c:\windows\wanmpsvc.exe c:\windows\system32\WTablet\TabUserW.exe c:\windows\system32\Tablet.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\rundll32.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-03-19 14:17:05 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-19 18:17:01 ComboFix2.txt 2009-03-19 15:45:04 ComboFix3.txt 2009-03-19 04:54:14 Pre-Run: 32,374,824,960 bytes free Post-Run: 32,355,348,480 bytes free Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 243 --- E O F --- 2009-03-13 22:12:01
---------- Go to: Check the boxes for:
Click OK or Enter ---------- How is the computer running now? Thanks so far for all of your help. The computer seems to be running fine. I still get this error message on my user account (not the other ones) when I log on to it: "Error Loading dll32 The specified module could not be found". I am assuming dll32 is important. I tried doing START>RUN> sfc /scannow and then inserting my WinXP disc to repair the dll32 file. Nada, didn't work. Is there somewhere to get this file? Also, what was the problem(s) you saw with all of the logs I sent you? It seems Notepad had something to do with it. And I'm still wondering why we re-named HijackThis to Sniper? Quote And I'm still wondering why we re-named HijackThis to Sniper? Some malware can "hide" from the hijackthis.exe. Renaming it ensures this won't happen. Quote Also, what was the problem(s) you saw with all of the logs I sent you? It seems Notepad had something to do with it. I'm not sure what the deal was with the Notepad entries. It shouldn't be running from the locations it was found in so might have been exploited by the malware. The biggest problem was adware, MyWebSearch. Quote Error Loading dll32 The specified module could not be found Sounds like something wasn't completely removed, probably part of the MyWebSearch. Let's have a closer look at where the error is coming from. Please download from DDS by sUBs and save it to your Desktop. Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
|
|
| 490. |
Solve : need help with this? |
|
Answer» Hi Experts, may machine is still infected may malware. I cannot open installed applications in my machine like CCleaner, BitDefender, etc. |
|
| 491. |
Solve : 2 strange reports found in my pc? |
|
Answer» i found these 2 reports in my pc , and have no IDEA were they came from, one says |
|
| 492. |
Solve : Need Some Help !? |
|
Answer» I don't actually know if this would be the right place to post this but I have a question in regards to the SUPERAntiSpyware that I downloaded and installed on both mine and my mom's computer. I RAN the scan on her computer and it worked fine, then I ran a scan on my laptop and it scans for about 20mins until it gets to SOMETHING I see called Blackbox.bin then my whole computer FREEZES. This has HAPPENED three TIMES. I tried to go into my folders to see what this BlackBox file is, but it's under All Users\Application Data and it won't let me into that.... |
|
| 493. |
Solve : spyware/virus problem. can't access C: drive, can't open certain programs? |
|
Answer» Just yesterday when I turned my computer on I noticed it was acting funny. The taskbar and window frames changed back to the old grey and blue theme, and the computer kept freezing sometimes when I wanted to open a folder or program. Sometimes my internet browser said it couldn't find a internet connection when I know there was indeed a working connection because I was still online with Windows Live Messenger, even then I sometimes can't connect with Messenger. Also when I try to google something now, I'll click on the link and it will re-direct to another site which has nothing to do with what I was looking for. So I'm guessing it's a bad case of spyware. I also cannot access my C: drive from My Computer. Whenever I try I GET a warning message that says:
Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- <<>> Go to Start > Control Panel - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step. * Double-click the Network Connections icon. * Right-click the Local Area Connection icon and select Properties. * Highlight Internet Protocol (TCP/IP) and click the Properties button. * Be sure Obtain DNS server address automatically is selected. * OK your way out. Go to Start > Run and type in cmd Click OK * This will open a command prompt. * Type the following line in the command window: ipconfig /flushdns (note the space between ipconfig and /) * Press Enter on the keyboard. * Exit the command window Now restart your computer. <<>> ---------- Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices. * Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers. * Search for any of the following: - Seneka.sys <- Or anything beginning with Seneka - clbdriver.sys <- Or anything beginning with clbdriver - TDSSserv.sys <- Or anything beginning with TDSS * Let me know if you find them or not. * If you do find it, right click on it, and select Disable. Do not try to uninstall them. * Now reboot and see if you can run the scans that would not run. |
|
| 494. |
Solve : Serious AVG Anti-Virus Problem? |
|
Answer» I have been putting it off, but for over a month my AVG anti-virus has not worked. AVG INTERFACE has encountered a problem and needs to close. We apologize for the inconvenience. I have AVG 8.0. I tried to uninstall it...hoping to reinstall. When I did....I got the following message Quote Installer initialization failed due to the following error:I am not allowed to uninstall. My question 1) Why is this occurring? 2) What can and should I do? THANKS!Use the AVG Remover Tool. http://www.avg.com/download-toolsOK....I did that....the AVG does not show up on my desktop or in my control panal. I have attached the avgremover.log. However when I turned on my computer I was prompted with a message stating "your computer may be at risk, avg is turned off". 1) Why is this message coming up? -AVG removed -Is there some virus keeping it? 2) If AVG is removed....why did this whole problem occur...is this just a bug anybody can get...no big issue? 3) Should I re-download AVG? As of now I have NO virus protection, so if you can help sooner...thanks! [attachment deleted by admin]Just install an antivirus. Remember to only install one antivirus! 1) Avast! Home Free Edition 2) AVG Free Edition 3) Avira AntiVir Personal OK...well I tried the new AVG 8.5 and got this message Quote C:\Documents and Settings\Trent Berger\Desktop\avg_free_stf_en_85_278a1439.exe.part could not be saved, because the source file could not be read.So what's going on? Why do I keep getting these errors? What is the problem...is it AVG or my computer? Is AVG gone from computer or not? What do I need to do to flush it out and put on a new anti-virus? I thought AVG was fine...why has it been so difficult with numerous errors for over a month even after trying to uninstall and now put on a new one? It is very frustrating to have illogical errors pop up out of nowhere and remain here for months FOR NO apparent cause. Why is it I am my computer is randomly picked to have AVG, which is supposed to HELP, cause errors? Ugh....please just let me know 1) What is going on 2) Why 3) How to fix Sorry for the 'tude but I am frustrated.This is the exact REASON I stopped using AVG and went to Avast. You can try here but good luck. http://freeforum.avg.com/Alright...well I want install a new anti-virus...but first I need to know 1) Is AVG anti-virus gone from my computer? -I do not see it on my program list in the control panel -However when I start the computer a red shield alerts me that my computer might be at risk since AVG is not on -I used the link to removed AVG...and it really is inconclusive to me if it is removed. -I have attached the log below -Is AVG gone from my computer? -If not, how can I get it to be removed entirely? 2) I do not want AVG or Avast, last time I had Avast it slowed up my computer. -Are there any other good anti-virus programs you can recommend? Thanks! [attachment deleted by admin]Avira AntiVir Personal is probably the best. Other free ones are these, but I would go with Avira. Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one) PC Tools AntiVirus Free EditionBefore I install a new anti-virus, I want to make certain the AVG is completely gone. 1) Is there anyway for me to see if it has been removed from the computer? 2) If it still is present, how can I go remove it?Go to C:\ > Program Files > AVG and delete the AVG folder. Done...is it all gone now and safe to install a new anti-virus program?Yes you should be able to now.Thanks! |
|
| 495. |
Solve : general question? |
|
Answer» Do anti-virus programs find ALL viruses on your computer? What I'm asking is, should I reinstall my OS every now and then to ensure that ALL viruses have been checked? Windows Defender is a waste of resources.Can't argue with you there. I would suggest if you are going to run an online scan to use one that will delete or repair what's found. BitDefender works very well. This scanner works with Internet Explorer only! - BitDefender Online Scanner |
|
| 496. |
Solve : Virus Notification? |
|
Answer» If a CUSTOMER has a COMPUTER virus, should it be your responsibility to NOTIFY them?If you want them to have faith in your service then yes. |
|
| 497. |
Solve : Need help! Virus screwing with my computer!? |
|
Answer» I recently got a virus on my computer. it says that they are both trojans one says detected as Vundo!grb and the other says is a generic rootkit. Can anyone help me? It says it is deleted but every TIME I restart my computer they are there again! Thanks!Read this before requesting MALWARE removal help, evilfantasy u can use mc afee antivirus to just get ride of these virus but if u want a good anti virus u can use Malwarebytes' Anti-Malware.... Another useless post...... Another useless post...... i agree , i did not think malware was an anti-virus , i could be wrong but i think not andiek 1987 , do as my first post the experts will be looking for logs to check over , harryI think all anti virus (freebies) are a virus within themselves . if you love your machine pay per play in the mean time rent yourself a hijack this on this site and then attack with no mercy but follow all instructions carefully as kierans guidance is worth its weight in gold !!I think all anti virus (freebies) are a virus within themselves i have had 5 freebies for 4 years with no trouble of any sort , i bought mcafee and norton and took them out nothing but trouble Quote from: ELVIROS on March 07, 2009, 02:59:39 AM I think all anti virus (freebies) are a virus within themselves. You have it backwards. Norton and mcafee do not offer little to no protection, they also root themselves deep into the system- and charge you for the privilege every month. Avira, and Avast! along with a few others, in contrast, provide better protection, don't root themselves deeply into the system (IE: you don't need a "removal tool" for most of them- Uninstall and they are gone), And most importantly- they do NOT charge you for the privilege. |
|
| 498. |
Solve : Computer very slow..*Please Help*? |
|
Answer» Ive done the : |
|
| 499. |
Solve : Frustrated Home Worker needs Help? |
|
Answer» when I first came to this forum I was having a problem with "scvhost.exe" Application Error.
Does IE work now? First attachment: Moveit Resluts- Report-Before computer needed to be rebooted - Moveit Results.txt Second attachment: After Reboot Report Log - 03062009_121958.log [attachment deleted by admin]How is Dial-a-Fix working?Dial-a-Fix is running now... It seems to be stuck in step 4... SSL/HTTPS/Cryptography... Bottom task says Stopping CRYPTSVC... It has been been there for about 10-15 minutes... If it doesn't move on from that then stop it and uncheck that box then run Dial a fix again. Once finished restart and see if IE is working. There are some solutions on this page http://support.microsoft.com/?kbid=822798 for manual fixes. LOOK under the RESOLUTION tab.Also do you have your XP CD?Yes I do have my XP Disk. You thinking running repair could possibly fix this issue?... ------------------------ I stopped Dial-a-Fix then ran again. When I click on the Explorer Icon IE does not open... Each time I click on the icon is creates another short cut for IE on my desktop... So far I have 4 short cuts for IE on my desktop... FireFox: Mozilla Crash Reporter pops up: "We're Sorry Firefox had a problem and crashed. We'll try to restore your tabs and windows when it restarts" And it won't restart - I keep getting the Mozilla Crash Report window... We might try a Repair but I'm not sure that will help with this. 1. Download IEFix.zip and run it. 2. Click the Apply button. 3. You'll be prompted for the Operating System CD or the Service Pack Files location. 4. Once finished Restart Windows. Does IE work now? If not... From here http://techtipdaily.com/2008/07/30/opening-internet-explorer-creates-desktop-shortcut/ 1. Go to the control panel (Start Menu->Control Panel) and go to Add/Remove programs. 2. Check the “Show Updates” (”Show hotfixes” in some versions) check boxes to show all installed patches. 3. Scroll down until you see “Security Update for Windows XP (KB943460)” 4. Click the remove button, and follow the prompts. If you can't uninstall it that way then visit the link for more suggestions.I ran IEFix.zip and IE still does not work...keeps creating shortcuts.. Firefox doesn't work...Mozilla Crash Report Crazy Browser works and Sea Monkey Works I went to Add/Remove Programs... I did not find "hot fix" Windows XP (KB943460) In my computer... - I Checked Show Updates Box Evidently I been having problems and didn't know it. Have not been getting updates I guess..OK lets make sure the malware is completely gone before moving on to repairs. No need in fighting a repair if it is actually malware interfering. First some clean up.
Download ATF Cleaner by Atribune to your Desktop. Alternate download link Note: Vista users must use Run As Administrator
---------- Download OTCleanIt.exe and save it to your Desktop.
Important: Restart the computer before continuing. ---------- Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:
So far nothing has changed with Firefox or IE... ======================================================== cleaner42.exe\data001;C:\Documents and Settings\Administrator\Desktop\cleaner42.exe;Program.XPCSpy.23;; cleaner42.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.; cleaner42.exe\data001;C:\Documents and Settings\Administrator\My Documents\Cleaner\New Folder1\cleaner42.exe;Program.XPCSpy.23;; cleaner42.exe;C:\Documents and Settings\Administrator\My Documents\Cleaner\New Folder1;Archive contains infected objects;Moved.; New Leads.txt;C:\Documents and Settings\Administrator\My Documents\Desktop Junk\Daily Leads\Rec Leads;Modification of CeyDem.6574;Moved.; New Leads2.txt;C:\Documents and Settings\Administrator\My Documents\Leads\Daily Leadsb\Daily Leads 2;Modification of CeyDem.6574;Moved.; New Leads.txt;C:\Documents and Settings\Administrator\My Documents\Leads\Daily Leadsb\Rec Leads;Modification of CeyDem.6574;Moved.; cleaner42.exe\data001;C:\Documents and Settings\Administrator\My Documents\Software\Software\cleaner42.exe;Program.XPCSpy.23;; cleaner42.exe;C:\Documents and Settings\Administrator\My Documents\Software\Software;Archive contains infected objects;Moved.; cleaner.exe;C:\Program Files\The Cleaner;Program.XPCSpy.23;; A0000022.exe\data001;C:\System Volume Information\_restore{22FBF451-E3C7-49DB-9BAC-31A48CDCC2AC}\RP1\A0000022.exe;Program.XPCSpy.23;; A0000022.exe;C:\System Volume Information\_restore{22FBF451-E3C7-49DB-9BAC-31A48CDCC2AC}\RP1;Archive contains infected objects;Moved.; |
|
| 500. |
Solve : dictionary attack?? |
|
Answer» in peergardian 2 in the BLOCKED it SAID dictionary attacker |
|
