Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Little Control


  • This topic is locked This topic is locked
14 replies to this topic

#1 T3rry

T3rry

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 11 December 2008 - 08:21 AM

Desktop says "Warning Spyware Detected", when it's active.

Browsers go only to a few sites.

Pop up (Firefox) selling some Anti-Virus software

Browsers (IE and Firefox) are blocked from your web site. I am writing this from a different computer.

Could not update Java.

Have not been able to update AVG or AdAware, but both run. AVG finds Heur, AdAware finds registry issues that have closed Task Manager.

Kaspersky site was not available either. Or Run Random's. I downloaded the RSIT onto a flash drive and was successful gathering the following:
info.txt logfile of random's system information tool 1.04 2008-12-11 07:51:09

======Uninstall list======

Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Ask Toolbar-->"C:\Program Files\AskBarDis\unins000.exe"
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Zumie Search 1.0 build 160-->C:\Program Files\ZumieSearch\uninstall.exe

======Security center information======

AV: AVG Anti-Virus Free (outdated)

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0604
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------

And:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-12-11 07:51:04
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 43 GB (47%) free of 91 GB
Total RAM: 879 MB (51% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}]
ShoppingReport - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll [2008-02-06 1173024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-09-08 279944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-08-08 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-12-04 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll [2008-03-25 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
AOL Toolbar Launcher - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 524288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87E68009-29A8-D669-F7C2-B31D08635C50}]
ContextAdvisor - C:\Program Files\ContextAdvisor\ContextAdvisor-1.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
(Gaming)2 - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll [2008-03-03 635392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
solution Class - C:\WINDOWS\system32\1qmeN3Rx.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}]
Ask Search Assistant BHO - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL [2007-06-09 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-08 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}]
Ask Toolbar BHO - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL [2007-06-09 245760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 524288]
{FE063DB9-4EC0-403e-8DD8-394C54984B2C} - Ask Toolbar - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL [2007-06-09 245760]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-09-08 279944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe [2008-03-25 144784]
"G2"=C:\Program Files\GamingSquared\Gaming2\G2.exe [2008-03-03 1215664]
"AIMPro"=C:\Program Files\AIM\AIM Pro\aimpro.exe [2007-10-09 5043528]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-08-08 185896]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-22 14854144]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"eescu"=c:\windows\system32\eescu.exe [2008-11-22 275968]
"Framework Windows"=C:\WINDOWS\system32\frmwrk32.exe [2008-12-03 32256]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-12-04 1261336]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"AIMPro"=C:\Program Files\AIM\AIM Pro\aimpro.exe [2007-10-09 5043528]
"Nero PhotoShow Media Manager"=C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe []
"Awola6"=C:\Documents and Settings\Owner\Application Data\Awola6\Awola6.exe /MIN []
"SpeedItUpEX"=C:\Program Files\Speeditup Free\SpeedItUp.exe [2008-06-09 2275328]
"SVCHOST.EXE"=C:\WINDOWS\system32\drivers\svchost.exe [2008-11-26 40960]
"nah_Shell"=C:\Documents and Settings\Owner\nah_chiw.exe [2008-11-26 80384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1180297048\ee\AOLSoftware.exe [2006-04-13 50792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McafWelcome]
c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe [2008-08-08 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-19 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe /checktask []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
C:\PROGRA~1\Metacafe\METACA~1.EXE /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Metacafe.lnk]
C:\PROGRA~1\Metacafe\METACA~1.EXE /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2
"MpfService"=3
"mcupdmgr.exe"=3
"McTskshd.exe"=2
"McShield"=2
"McDetect.exe"=2

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-01-15 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
"NoSetActiveDesktop"=1
"NoActiveDesktopChanges"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1149592549\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1149592549\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AIM\AIM Pro\aimpro.exe"="C:\Program Files\AIM\AIM Pro\aimpro.exe:*:Enabled:AIM Pro"
"C:\Program Files\Common Files\AOL\1180297048\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1180297048\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\Program Files\Best Buy Rhapsody\rhapsody.exe"="C:\Program Files\Best Buy Rhapsody\rhapsody.exe:*:Enabled:Rhapsody Media Player"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"
"C:\WINDOWS\system32\drivers\svchost.exe"="C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22b877e1-f54a-11da-9169-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eebaae4-9169-11dc-96d6-0016766753b2}]
shell\Auto\command - F:\Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{518eedcd-7ec0-11dd-97db-0016766753b2}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adc1dd69-3600-11db-9460-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


======List of files/folders created in the last 1 months======

2008-12-11 07:51:04 ----D---- C:\rsit
2008-12-11 07:51:04 ----D---- C:\Program Files\trend micro
2008-12-10 19:07:14 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 19:03:48 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 19:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 19:01:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-09 19:32:23 ----D---- C:\Program Files\iPod
2008-12-09 19:32:19 ----D---- C:\Program Files\iTunes
2008-12-09 19:32:19 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-09 19:30:36 ----D---- C:\Program Files\QuickTime
2008-12-07 17:25:51 ----A---- C:\WINDOWS\system32\ntdll64.exe
2008-12-07 11:43:14 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-05 21:11:55 ----HD---- C:\$AVG8.VAULT$
2008-12-04 20:55:33 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-12-04 20:55:15 ----D---- C:\Program Files\AVG
2008-12-04 20:55:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-04 18:58:53 ----A---- C:\WINDOWS\system32\mssrv32.exe
2008-12-03 23:47:55 ----A---- C:\WINDOWS\system32\frmwrk32.exe
2008-12-02 21:45:18 ----D---- C:\Program Files\AskBarDis
2008-11-30 11:59:31 ----SHD---- C:\WINDOWS\system32\twain_32
2008-11-30 11:59:29 ----A---- C:\WINDOWS\system32\windows_update.exe
2008-11-30 00:01:22 ----D---- C:\Documents and Settings\Owner\Application Data\MSNInstaller
2008-11-25 20:10:03 ----A---- C:\WINDOWS\system32\ptpusb.dll
2008-11-25 20:10:01 ----A---- C:\WINDOWS\system32\ptpusd.dll
2008-11-22 14:48:23 ----A---- C:\WINDOWS\system32\eescu.exe
2008-11-12 17:05:14 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 17:03:43 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 17:01:42 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$

======List of files/folders modified in the last 1 months======

2008-12-11 07:51:04 ----RD---- C:\Program Files
2008-12-11 07:48:21 ----D---- C:\Program Files\Mozilla Firefox
2008-12-11 07:41:16 ----D---- C:\WINDOWS\Temp
2008-12-11 07:41:13 ----D---- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-12-11 07:36:59 ----D---- C:\Documents and Settings
2008-12-10 22:00:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-10 21:09:07 ----D---- C:\WINDOWS
2008-12-10 21:08:33 ----D---- C:\WINDOWS\system32
2008-12-10 19:07:17 ----HD---- C:\WINDOWS\inf
2008-12-10 19:06:48 ----A---- C:\WINDOWS\win.ini
2008-12-10 19:06:41 ----SHD---- C:\WINDOWS\Installer
2008-12-10 19:06:06 ----A---- C:\WINDOWS\imsins.BAK
2008-12-10 19:06:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-10 19:06:00 ----D---- C:\Program Files\Internet Explorer
2008-12-10 19:05:47 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-10 19:05:47 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-10 19:02:00 ----D---- C:\WINDOWS\Prefetch
2008-12-10 18:57:22 ----D---- C:\WINDOWS\system32\Lang
2008-12-10 17:59:22 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-09 19:30:16 ----D---- C:\Program Files\Common Files\Apple
2008-12-09 18:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-09 07:11:15 ----D---- C:\Documents and Settings\Owner\Application Data\ShoppingReport
2008-12-07 15:27:07 ----D---- C:\WINDOWS\system32\drivers
2008-12-07 11:41:14 ----D---- C:\Documents and Settings\Owner\Application Data\U3
2008-12-07 11:30:24 ----D---- C:\Program Files\ZumieSearch
2008-12-06 17:44:05 ----D---- C:\Program Files\LimeWire
2008-12-06 17:26:18 ----D---- C:\Program Files\ContextAdvisor
2008-12-05 20:49:40 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-04 00:20:24 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-03 23:49:16 ----A---- C:\WINDOWS\system32\userinit.exe
2008-12-03 21:56:02 ----D---- C:\Documents and Settings\Owner\Application Data\FrostWire
2008-11-30 11:52:39 ----D---- C:\Program Files\FrostWire
2008-11-30 11:52:09 ----D---- C:\Documents and Settings\Owner\Application Data\zweitgeist
2008-11-30 00:10:04 ----D---- C:\WINDOWS\Downloaded Installations
2008-11-30 00:10:04 ----D---- C:\Documents and Settings\Owner\Application Data\Teleca
2008-11-30 00:09:37 ----D---- C:\Program Files\Common Files\Teleca Shared
2008-11-30 00:09:26 ----D---- C:\Program Files\Common Files
2008-11-30 00:08:39 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-30 00:01:23 ----D---- C:\Program Files\MSN
2008-11-30 00:01:09 ----D---- C:\Program Files\Image-Line
2008-11-30 00:00:42 ----D---- C:\Program Files\DivX
2008-11-26 23:46:39 ----A---- C:\WINDOWS\system32\winlogon.exe
2008-11-26 23:46:39 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-11-20 14:51:07 ----D---- C:\Program Files\weblin
2008-11-19 14:52:03 ----A---- C:\DTSHDSpOut.txt
2008-11-14 14:38:16 ----D---- C:\WINDOWS\Help
2008-11-12 17:01:01 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-12-04 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-12-04 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-12-04 76040]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2006-12-25 8413]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-09-23 1094751]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-01-15 1477632]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-23 3966976]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S2 Ca536av;DV 4500(Video); C:\WINDOWS\System32\Drivers\Ca536av.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2003-04-04 30336]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 se3ebus;Sony Ericsson Device 062 (WDM); C:\WINDOWS\system32\DRIVERS\se3ebus.sys [2006-11-07 66656]
S3 se3emdfl;Sony Ericsson Device 062 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\se3emdfl.sys [2006-11-07 9392]
S3 se3emdm;Sony Ericsson Device 062 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\se3emdm.sys [2006-11-07 100736]
S3 se3emgmt;Sony Ericsson Device 062 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\se3emgmt.sys [2006-11-07 92304]
S3 se3eobex;Sony Ericsson Device 062 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\se3eobex.sys [2006-11-07 90144]
S3 se58bus;Sony Ericsson Device 088 driver (WDM); C:\WINDOWS\system32\DRIVERS\se58bus.sys [2006-09-05 61536]
S3 se58mdfl;Sony Ericsson Device 088 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\se58mdfl.sys [2006-09-05 9360]
S3 se58mdm;Sony Ericsson Device 088 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\se58mdm.sys [2006-09-05 97088]
S3 se58mgmt;Sony Ericsson Device 088 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\se58mgmt.sys [2006-09-05 88624]
S3 se58nd5;Sony Ericsson Device 088 USB Ethernet Emulation SEMC58 (NDIS); C:\WINDOWS\system32\DRIVERS\se58nd5.sys [2006-09-05 18704]
S3 se58obex;Sony Ericsson Device 088 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\se58obex.sys [2006-09-05 86432]
S3 se58unic;Sony Ericsson Device 088 USB Ethernet Emulation SEMC58 (WDM); C:\WINDOWS\system32\DRIVERS\se58unic.sys [2006-09-05 90800]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 USBCamera;DV 4500(Still); C:\WINDOWS\System32\Drivers\Bulk536.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-01-15 405504]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-12-04 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-04 231704]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-06-06 172032]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-01-26 520192]
S2 msupdate;Microsoft security update service; c:\windows\system32\mssrv32.exe [2008-12-04 16384]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-08-01 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-14 145184]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2003-04-04 77824]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

I attempted to install (from flash drive to infected computer) Malwarebyte's Anti-Malware, but it would not run.

Thanks for looking into this.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 PM

Posted 12 December 2008 - 05:07 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 T3rry

T3rry
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 12 December 2008 - 09:43 PM

Thank you Sam, progress has been made.

I downloaded SDFix onto a different computer and used my USB drive to drop it onto the dektop of the infected computer. Double clicking was not effective, but a right click gave me the unzip option and I was then able to follow your instructions exactly.

The speed of the computer is improved, but it is still clearly infected. There is a GIF at the bottom with a balloon that says "Warning Security Report. Your computer is infected...". In addition the desktop flashes "Warning" followed by "Dangerous Spyware...". The normal desktop background does not display. When I attempted to go to your site in Firefox, I was redirected to a bogus site that has a url that begins: welcome.bleepingcomputer....

I turned the infected machine off and am writing to you from a different computer. I copied the report to my USB drive and here it is:
SDFix: Version 1.240
Run by Owner on Fri 12/12/2008 at 08:29 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix\SDFix

Checking Services :

Name :
msupdate

Path :
c:\windows\system32\mssrv32.exe

msupdate - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds - Deleted
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\GLF198A.tmp.dll - Deleted
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt - Deleted
C:\Program Files\FBrowsingAdvisor\Logo.png - Deleted
C:\Program Files\FBrowsingAdvisor\main.db - Deleted
C:\Program Files\FBrowsingAdvisor\unins000.dat - Deleted
C:\Program Files\FBrowsingAdvisor\unins000.exe - Deleted
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll - Deleted
C:\WINDOWS\system32\drivers\svchost.exe - Deleted
C:\WINDOWS\system32\mssrv32.exe - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted
C:\WINDOWS\system32\TDSSxehj.dll - Deleted
C:\WINDOWS\system32\TDSSreat.dat - Deleted
C:\WINDOWS\system32\TDSSqrdn.log - Deleted
C:\WINDOWS\system32\twain_32\local.ds - Deleted
C:\WINDOWS\system32\twain_32\user.ds - Deleted
C:\WINDOWS\system32\twain_32\user.ds.cla - Deleted
C:\WINDOWS\system32\twext.exe - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSktkl.dll
Could Not Remove C:\WINDOWS\system32\TDSSurxb.dll
Could Not Remove C:\WINDOWS\system32\TDSSlajf.dll
Could Not Remove C:\WINDOWS\system32\TDSSoxum.dll

Folder C:\Documents and Settings\LocalService\Application Data\twain_32 - Removed
Folder C:\Documents and Settings\NetworkService\Application Data\twain_32 - Removed
Folder C:\Program Files\FBrowsingAdvisor - Removed
Folder C:\WINDOWS\system32\twain_32 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 20:49:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Owner\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1149592549\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1149592549\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"="C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe:*:Enabled:AIM Pro"
"C:\\Program Files\\Common Files\\AOL\\1180297048\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1180297048\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe:*:Enabled:Rhapsody Media Player"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\system32\TDSSktkl.dll Found
C:\WINDOWS\system32\TDSSurxb.dll Found
C:\WINDOWS\system32\TDSSlajf.dll Found
C:\WINDOWS\system32\TDSSoxum.dll Found

File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 27 Jun 2007 1,361 A..H. --- "C:\Documents and Settings\Owner\IPH.BAK"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 30 Oct 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 4 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 27 May 2007 5,685 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Tue 23 Oct 2007 3,350,528 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"
Mon 30 Oct 2006 4,348 A..H. --- "C:\Documents and Settings\Owner\Application Data\Real\Rhapsody\wmlicbackup\drmv1key.bak"
Mon 25 Dec 2006 20 A..H. --- "C:\Documents and Settings\Owner\Application Data\Real\Rhapsody\wmlicbackup\drmv1lic.bak"
Thu 28 Sep 2006 312 A.SH. --- "C:\Documents and Settings\Owner\Application Data\Real\Rhapsody\wmlicbackup\drmv2key.bak"

Finished!

Thank you for your help.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 PM

Posted 13 December 2008 - 09:58 AM

It's still hanging in there.
We need to run Combofix.


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 T3rry

T3rry
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 10:32 PM

Sam-

No success in running combofix. I cannot navigate to your site on the infected computer, so I downloaded it to a different machine and transfered it to the infected computer on a USB portable flash drive. I placed combofix on the dektop of the infected machine, double clicked, then nothing. If I right click and "run as" I get a box that asks for which user, I select, then nothing. I right clicked and selected pin to start menu, clicked once, nothing. In short, the program will not run. I unzipped it, but I don't know what to do with what I see. So is there a way to make it run? Safe mode?

Thanks again.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 PM

Posted 14 December 2008 - 10:40 AM

Try renaming combofix.exe to cf.exe and then run it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 T3rry

T3rry
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 14 December 2008 - 04:28 PM

:thumbsup:

Renaming worked. And I am writing to you from the "infected" machine.

Here is the log:

ComboFix 08-12-13.03 - Owner 2008-12-14 16:09:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.879.527 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\cf.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Owner\Application Data\ShoppingReport
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
c:\documents and settings\Owner\nah_chiw.exe
c:\program files\FBrowserAdvisor
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
c:\program files\ShoppingReport\Uninst.exe
c:\windows\pack.epk
c:\windows\system32\4okcL6Pv.exe.a_a
c:\windows\system32\axtyth.dat
c:\windows\system32\axtyth_nav.dat
c:\windows\system32\axtyth_navps.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\TDSSpcuu.sys
c:\windows\system32\eescu.dat
c:\windows\system32\eescu.exe
c:\windows\system32\eescu_nav.dat
c:\windows\system32\eescu_navps.dat
c:\windows\system32\frmwrk32.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sTy5d28l.exe.a_a
c:\windows\system32\TDSSktkl.dll
c:\windows\system32\TDSSlajf.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoxum.dll
c:\windows\system32\TDSSqkhc.dll
c:\windows\system32\TDSSqrdn.log
c:\windows\system32\TDSSreat.dat
c:\windows\system32\TDSSshkx.log
c:\windows\system32\TDSSurxb.dll
c:\windows\system32\TDSSxehj.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yceci.dat
c:\windows\system32\yceci.exe
c:\windows\system32\yceci_nav.dat
c:\windows\system32\yceci_navps.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-12 20:25 . 2008-12-12 20:25 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-12 20:16 . 2008-12-12 20:16 <DIR> d-------- c:\windows\ERUNT
2008-12-11 07:51 . 2008-12-11 07:51 <DIR> d-------- C:\rsit
2008-12-11 07:51 . 2008-12-11 07:51 <DIR> d-------- c:\program files\trend micro
2008-12-11 07:47 . 2008-12-11 07:49 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2008-12-11 07:36 . 2004-08-27 04:54 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-11 07:36 . 2008-12-11 07:36 <DIR> d-------- c:\documents and settings\Administrator
2008-12-09 19:32 . 2008-12-09 19:32 <DIR> d-------- c:\program files\iTunes
2008-12-09 19:32 . 2008-12-09 19:32 <DIR> d-------- c:\program files\iPod
2008-12-09 19:32 . 2008-12-09 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-09 19:30 . 2008-12-09 19:31 <DIR> d-------- c:\program files\QuickTime
2008-12-07 21:22 . 2008-12-07 21:22 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2008-12-05 21:11 . 2008-12-07 17:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-04 20:55 . 2008-12-04 20:55 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-04 20:55 . 2008-12-04 20:55 <DIR> d-------- c:\program files\AVG
2008-12-04 20:55 . 2008-12-07 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-04 20:55 . 2008-12-04 20:55 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-04 20:55 . 2008-12-04 20:55 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-04 20:55 . 2008-12-04 20:55 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-04 00:21 . 2008-12-04 00:21 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\acccore
2008-12-04 00:20 . 2008-12-04 00:20 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVG7
2008-12-04 00:20 . 2008-12-04 00:20 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AIMPro
2008-12-04 00:20 . 2008-12-14 16:01 4,785 --a------ c:\windows\system32\warning.gif
2008-12-04 00:20 . 2008-12-14 16:19 461 --a------ c:\windows\system32\win32hlp.cnf
2008-12-03 23:50 . 2008-12-14 16:01 1,347 --a------ c:\windows\system32\ahtn.htm
2008-12-03 23:48 . 2008-12-03 23:48 1 --a------ c:\windows\system32\uniq.tll
2008-12-03 23:48 . 2008-12-03 23:48 1 --a------ c:\windows\system32\test.ttt
2008-12-02 21:45 . 2008-12-02 21:45 <DIR> d-------- c:\program files\AskBarDis
2008-11-30 00:01 . 2008-11-30 00:01 <DIR> d-------- c:\documents and settings\Owner\Application Data\MSNInstaller
2008-11-25 20:10 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-25 20:10 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 21:01 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2008-12-10 00:30 --------- d-----w c:\program files\Common Files\Apple
2008-12-07 16:41 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-12-07 16:30 --------- d-----w c:\program files\ZumieSearch
2008-12-06 22:44 --------- d-----w c:\program files\LimeWire
2008-12-06 22:26 --------- d-----w c:\program files\ContextAdvisor
2008-12-04 02:56 --------- d-----w c:\documents and settings\Owner\Application Data\FrostWire
2008-11-30 16:52 --------- d-----w c:\program files\FrostWire
2008-11-30 16:52 --------- d-----w c:\documents and settings\Owner\Application Data\zweitgeist
2008-11-30 05:10 --------- d-----w c:\documents and settings\Owner\Application Data\Teleca
2008-11-30 05:09 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-30 05:01 --------- d-----w c:\program files\Image-Line
2008-11-30 05:00 --------- d-----w c:\program files\DivX
2008-11-20 19:51 --------- d-----w c:\program files\weblin
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 21:17 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-19 17:44 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-05-11 23:17 0 --sha-w c:\documents and settings\Owner\Application Data\0000000000t.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"= "c:\program files\AOL\AOL Toolbar 2.0\aoltb.dll" [2005-08-02 524288]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2007-06-09 57344]

[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 22:08 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 18:26 635392 --a------ c:\program files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AIMPro"="c:\program files\AIM\AIM Pro\aimpro.exe" [2007-10-09 5043528]
"SpeedItUpEX"="c:\program files\Speeditup Free\SpeedItUp.exe" [2008-06-09 2275328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"G2"="c:\program files\GamingSquared\Gaming2\G2.exe" [2008-03-03 1215664]
"AIMPro"="c:\program files\AIM\AIM Pro\aimpro.exe" [2007-10-09 5043528]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-08 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-04 1261336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-04-13 15:36 50792 c:\program files\Common Files\AOL\1180297048\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2008-08-08 13:42 69632 c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-19 10:44 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\Common Files\\AOL\\1180297048\\ee\\aolsoftware.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-04 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-04 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-04 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-04 76040]
S2 Ca536av;DV 4500(Video);c:\windows\system32\Drivers\Ca536av.sys []
S3 se3ebus;Sony Ericsson Device 062 (WDM);c:\windows\system32\DRIVERS\se3ebus.sys [2008-01-12 66656]
S3 se3emdfl;Sony Ericsson Device 062 USB WMC Modem Filter;c:\windows\system32\DRIVERS\se3emdfl.sys [2008-01-12 9392]
S3 se3emdm;Sony Ericsson Device 062 USB WMC Modem Driver;c:\windows\system32\DRIVERS\se3emdm.sys [2008-01-12 100736]
S3 se3emgmt;Sony Ericsson Device 062 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\se3emgmt.sys [2008-01-12 92304]
S3 se3eobex;Sony Ericsson Device 062 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\se3eobex.sys [2008-01-12 90144]
S3 USBCamera;DV 4500(Still);c:\windows\system32\Drivers\Bulk536.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22b877e1-f54a-11da-9169-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eebaae4-9169-11dc-96d6-0016766753b2}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{518eedcd-7ec0-11dd-97db-0016766753b2}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-05 c:\windows\Tasks\At1.job
- c:\windows\system32\sTy5d28l.exe []

2008-11-24 c:\windows\Tasks\At10.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-06 c:\windows\Tasks\At11.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-06 c:\windows\Tasks\At12.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-06 c:\windows\Tasks\At13.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-06 c:\windows\Tasks\At14.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-06 c:\windows\Tasks\At15.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-07 c:\windows\Tasks\At16.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-07 c:\windows\Tasks\At17.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-07 c:\windows\Tasks\At18.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-10 c:\windows\Tasks\At19.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-05 c:\windows\Tasks\At2.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-11 c:\windows\Tasks\At20.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-10 c:\windows\Tasks\At21.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-10 c:\windows\Tasks\At22.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-14 c:\windows\Tasks\At23.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-07 c:\windows\Tasks\At24.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-05 c:\windows\Tasks\At25.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At26.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At27.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At28.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At29.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At3.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-05 c:\windows\Tasks\At30.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At31.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At32.job
- c:\windows\system32\4okcL6Pv.exe []

2008-10-31 c:\windows\Tasks\At33.job
- c:\windows\system32\4okcL6Pv.exe []

2008-11-24 c:\windows\Tasks\At34.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-06 c:\windows\Tasks\At35.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-06 c:\windows\Tasks\At36.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-06 c:\windows\Tasks\At37.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-06 c:\windows\Tasks\At38.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-06 c:\windows\Tasks\At39.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At4.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-07 c:\windows\Tasks\At40.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-07 c:\windows\Tasks\At41.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-07 c:\windows\Tasks\At42.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-10 c:\windows\Tasks\At43.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-11 c:\windows\Tasks\At44.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-10 c:\windows\Tasks\At45.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-10 c:\windows\Tasks\At46.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-14 c:\windows\Tasks\At47.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-07 c:\windows\Tasks\At48.job
- c:\windows\system32\4okcL6Pv.exe []

2008-12-05 c:\windows\Tasks\At5.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-05 c:\windows\Tasks\At6.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-05 c:\windows\Tasks\At7.job
- c:\windows\system32\sTy5d28l.exe []

2008-12-05 c:\windows\Tasks\At8.job
- c:\windows\system32\sTy5d28l.exe []

2008-10-31 c:\windows\Tasks\At9.job
- c:\windows\system32\sTy5d28l.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{100EB1FD-D03E-47FD-81F3-EE91287F9465} - c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
BHO-{87E68009-29A8-D669-F7C2-B31D08635C50} - c:\program files\ContextAdvisor\ContextAdvisor-1.dll
BHO-{99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - c:\windows\system32\1qmeN3Rx.dll
HKCU-Run-Nero PhotoShow Media Manager - c:\progra~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-eescu - c:\windows\system32\eescu.exe
HKLM-Run-Framework Windows - frmwrk32.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Lexmark X1100 Series - c:\program files\Lexmark X1100 Series\lxbkbmgr.exe
MSConfigStartUp-McafWelcome - c:\progra~1\mcafee.com\agent\mcwelcom.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101676&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://sports.espn.go.com/mlb/index
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 16:16:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-14 16:22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 21:22:32

Pre-Run: 50,284,679,168 bytes free
Post-Run: 50,583,711,744 bytes free

408 --- E O F --- 2008-12-11 00:07:17

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 PM

Posted 15 December 2008 - 10:03 AM

Now we're getting somewhere. :thumbsup:

Please uninstall these programs:

Ask Toolbar
Zumie Search




==============


Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\Tasks\At?.job
    c:\windows\Tasks\At??.job
    c:\program files\AskTBar
    c:\windows\system32\warning.gif
    c:\windows\system32\win32hlp.cnf
    c:\windows\system32\ahtn.htm
    c:\windows\system32\uniq.tll
    c:\windows\system32\test.ttt
    c:\program files\AskBarDis
    c:\program files\ZumieSearch
    
    :reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22b877e1-f54a-11da-9169-806d6172696f}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eebaae4-9169-11dc-96d6-0016766753b2}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Also post a new log from RSIT.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 T3rry

T3rry
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 15 December 2008 - 09:08 PM

OTMoveIt3 log:
========== FILES ==========
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At44.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At46.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At48.job moved successfully.
c:\program files\AskTBar\SrchAstt\1.bin moved successfully.
c:\program files\AskTBar\SrchAstt moved successfully.
c:\program files\AskTBar\PopSwatr\History moved successfully.
c:\program files\AskTBar\PopSwatr moved successfully.
c:\program files\AskTBar\bar\Settings moved successfully.
c:\program files\AskTBar\bar\History moved successfully.
c:\program files\AskTBar\bar\Cache moved successfully.
c:\program files\AskTBar\bar\1.bin moved successfully.
c:\program files\AskTBar\bar moved successfully.
c:\program files\AskTBar moved successfully.
c:\windows\system32\warning.gif moved successfully.
c:\windows\system32\win32hlp.cnf moved successfully.
c:\windows\system32\ahtn.htm moved successfully.
c:\windows\system32\uniq.tll moved successfully.
c:\windows\system32\test.ttt moved successfully.
File/Folder c:\program files\AskBarDis not found.
File/Folder c:\program files\ZumieSearch not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22b877e1-f54a-11da-9169-806d6172696f}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eebaae4-9169-11dc-96d6-0016766753b2}\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\\{9CB65206-89C4-402c-BA80-02D8C59F9B1D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CB65206-89C4-402c-BA80-02D8C59F9B1D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
Registry key HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_J9NvGbJzDjNs0SaKFmjJ scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\trace.txt scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\tricon-aol.txt scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF41A7.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12152008_205627

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_J9NvGbJzDjNs0SaKFmjJ not found!
C:\DOCUME~1\Owner\LOCALS~1\Temp\trace.txt moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\tricon-aol.txt moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF41A7.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ond87fz7.default\urlclassifier3.sqlite moved successfully.

RSIT post next.

#10 T3rry

T3rry
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 15 December 2008 - 09:12 PM

RSIT log.

Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-12-15 21:09:03
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 48 GB (53%) free of 91 GB
Total RAM: 879 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:24 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Speeditup Free\SpeedItUp.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101676&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158197421515
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9300 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-08-08 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-12-04 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll [2008-03-25 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
AOL Toolbar Launcher - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 524288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
(Gaming)2 - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll [2008-03-03 635392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}]
Ask Search Assistant BHO - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-08 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}]
Ask Toolbar BHO - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 524288]
{FE063DB9-4EC0-403e-8DD8-394C54984B2C} - Ask Toolbar - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL []
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe [2008-03-25 144784]
"G2"=C:\Program Files\GamingSquared\Gaming2\G2.exe [2008-03-03 1215664]
"AIMPro"=C:\Program Files\AIM\AIM Pro\aimpro.exe [2007-10-09 5043528]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-08-08 185896]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-22 14854144]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-12-04 1261336]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"AIMPro"=C:\Program Files\AIM\AIM Pro\aimpro.exe [2007-10-09 5043528]
"SpeedItUpEX"=C:\Program Files\Speeditup Free\SpeedItUp.exe [2008-06-09 2275328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1180297048\ee\AOLSoftware.exe [2006-04-13 50792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe [2008-08-08 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-19 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
C:\PROGRA~1\Metacafe\METACA~1.EXE /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Metacafe.lnk]
C:\PROGRA~1\Metacafe\METACA~1.EXE /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2
"MpfService"=3
"mcupdmgr.exe"=3
"McTskshd.exe"=2
"McShield"=2
"McDetect.exe"=2

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-01-15 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AIM\AIM Pro\aimpro.exe"="C:\Program Files\AIM\AIM Pro\aimpro.exe:*:Enabled:AIM Pro"
"C:\Program Files\Common Files\AOL\1180297048\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1180297048\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{518eedcd-7ec0-11dd-97db-0016766753b2}]
shell\AutoRun\command - F:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2008-12-15 20:57:07 ----SHD---- C:\RECYCLER
2008-12-15 20:56:27 ----D---- C:\_OTMoveIt
2008-12-14 16:22:57 ----D---- C:\WINDOWS\temp
2008-12-14 16:22:55 ----A---- C:\ComboFix.txt
2008-12-14 16:03:51 ----A---- C:\WINDOWS\zip.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\VFIND.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\SWSC.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\SWREG.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\sed.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\grep.exe
2008-12-14 16:03:51 ----A---- C:\WINDOWS\fdsv.exe
2008-12-14 16:03:41 ----D---- C:\WINDOWS\ERDNT
2008-12-14 16:03:41 ----D---- C:\Qoobox
2008-12-12 20:16:04 ----D---- C:\WINDOWS\ERUNT
2008-12-11 07:51:04 ----D---- C:\rsit
2008-12-11 07:51:04 ----D---- C:\Program Files\trend micro
2008-12-10 19:07:14 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 19:03:48 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 19:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 19:01:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-09 19:32:23 ----D---- C:\Program Files\iPod
2008-12-09 19:32:19 ----D---- C:\Program Files\iTunes
2008-12-09 19:32:19 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-09 19:30:36 ----D---- C:\Program Files\QuickTime
2008-12-07 11:43:14 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-05 21:11:55 ----HD---- C:\$AVG8.VAULT$
2008-12-04 20:55:33 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-12-04 20:55:15 ----D---- C:\Program Files\AVG
2008-12-04 20:55:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-11-30 00:01:22 ----D---- C:\Documents and Settings\Owner\Application Data\MSNInstaller
2008-11-25 20:10:03 ----A---- C:\WINDOWS\system32\ptpusb.dll
2008-11-25 20:10:01 ----A---- C:\WINDOWS\system32\ptpusd.dll

======List of files/folders modified in the last 1 months======

2008-12-15 21:02:47 ----D---- C:\Program Files\Mozilla Firefox
2008-12-15 21:00:41 ----D---- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-12-15 21:00:27 ----D---- C:\WINDOWS\system32\Lang
2008-12-15 20:59:54 ----D---- C:\WINDOWS\system32
2008-12-15 20:58:25 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-15 20:56:28 ----RD---- C:\Program Files
2008-12-15 20:56:27 ----SD---- C:\WINDOWS\Tasks
2008-12-14 16:23:01 ----D---- C:\WINDOWS\system32\drivers
2008-12-14 16:22:57 ----D---- C:\WINDOWS
2008-12-14 16:17:13 ----A---- C:\WINDOWS\system.ini
2008-12-14 16:15:06 ----D---- C:\WINDOWS\system32\config
2008-12-14 16:12:36 ----D---- C:\WINDOWS\AppPatch
2008-12-14 16:12:36 ----D---- C:\Program Files\Common Files
2008-12-12 20:25:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-11 07:36:59 ----D---- C:\Documents and Settings
2008-12-10 19:07:17 ----HD---- C:\WINDOWS\inf
2008-12-10 19:06:48 ----A---- C:\WINDOWS\win.ini
2008-12-10 19:06:41 ----SHD---- C:\WINDOWS\Installer
2008-12-10 19:06:06 ----A---- C:\WINDOWS\imsins.BAK
2008-12-10 19:06:00 ----D---- C:\Program Files\Internet Explorer
2008-12-10 19:05:47 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-10 19:05:47 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-10 19:02:00 ----D---- C:\WINDOWS\Prefetch
2008-12-10 17:59:22 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-09 19:30:16 ----D---- C:\Program Files\Common Files\Apple
2008-12-09 18:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-07 11:41:14 ----D---- C:\Documents and Settings\Owner\Application Data\U3
2008-12-06 17:44:05 ----D---- C:\Program Files\LimeWire
2008-12-06 17:26:18 ----D---- C:\Program Files\ContextAdvisor
2008-12-05 20:49:40 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-04 00:20:24 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-03 23:49:16 ----A---- C:\WINDOWS\system32\userinit.exe
2008-12-03 21:56:02 ----D---- C:\Documents and Settings\Owner\Application Data\FrostWire
2008-11-30 11:52:39 ----D---- C:\Program Files\FrostWire
2008-11-30 11:52:09 ----D---- C:\Documents and Settings\Owner\Application Data\zweitgeist
2008-11-30 00:10:04 ----D---- C:\WINDOWS\Downloaded Installations
2008-11-30 00:10:04 ----D---- C:\Documents and Settings\Owner\Application Data\Teleca
2008-11-30 00:09:37 ----D---- C:\Program Files\Common Files\Teleca Shared
2008-11-30 00:08:39 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-30 00:01:23 ----D---- C:\Program Files\MSN
2008-11-30 00:01:09 ----D---- C:\Program Files\Image-Line
2008-11-30 00:00:42 ----D---- C:\Program Files\DivX
2008-11-26 23:46:39 ----A---- C:\WINDOWS\system32\winlogon.exe
2008-11-26 23:46:39 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-11-20 14:51:07 ----D---- C:\Program Files\weblin
2008-11-19 14:52:03 ----A---- C:\DTSHDSpOut.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-12-04 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-12-04 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-12-04 76040]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2006-12-25 8413]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-09-23 1094751]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-01-15 1477632]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-23 3966976]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S2 Ca536av;DV 4500(Video); C:\WINDOWS\System32\Drivers\Ca536av.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 se3ebus;Sony Ericsson Device 062 (WDM); C:\WINDOWS\system32\DRIVERS\se3ebus.sys [2006-11-07 66656]
S3 se3emdfl;Sony Ericsson Device 062 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\se3emdfl.sys [2006-11-07 9392]
S3 se3emdm;Sony Ericsson Device 062 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\se3emdm.sys [2006-11-07 100736]
S3 se3emgmt;Sony Ericsson Device 062 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\se3emgmt.sys [2006-11-07 92304]
S3 se3eobex;Sony Ericsson Device 062 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\se3eobex.sys [2006-11-07 90144]
S3 se58bus;Sony Ericsson Device 088 driver (WDM); C:\WINDOWS\system32\DRIVERS\se58bus.sys [2006-09-05 61536]
S3 se58mdfl;Sony Ericsson Device 088 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\se58mdfl.sys [2006-09-05 9360]
S3 se58mdm;Sony Ericsson Device 088 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\se58mdm.sys [2006-09-05 97088]
S3 se58mgmt;Sony Ericsson Device 088 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\se58mgmt.sys [2006-09-05 88624]
S3 se58nd5;Sony Ericsson Device 088 USB Ethernet Emulation SEMC58 (NDIS); C:\WINDOWS\system32\DRIVERS\se58nd5.sys [2006-09-05 18704]
S3 se58obex;Sony Ericsson Device 088 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\se58obex.sys [2006-09-05 86432]
S3 se58unic;Sony Ericsson Device 088 USB Ethernet Emulation SEMC58 (WDM); C:\WINDOWS\system32\DRIVERS\se58unic.sys [2006-09-05 90800]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 USBCamera;DV 4500(Still); C:\WINDOWS\System32\Drivers\Bulk536.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-01-15 405504]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-12-04 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-04 231704]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-06-06 172032]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-01-26 520192]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-08-01 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-14 145184]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2003-04-04 77824]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

Thanks again.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 PM

Posted 16 December 2008 - 10:37 AM

Copy the text below into OTMoveit3 and click MoveIt just like you did before.

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{FE063DB9-4EC0-403e-8DD8-394C54984B2C}=-



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 T3rry

T3rry
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 16 December 2008 - 09:24 PM

:thumbsup:

Things seem quite normal...I'm extremely pleased!

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{FE063DB9-4EC0-403e-8DD8-394C54984B2C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12162008_212007

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 PM

Posted 17 December 2008 - 09:59 AM

Excellent! :)

Just a few last things and you should be good to go! :)


Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 T3rry

T3rry
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 17 December 2008 - 08:49 PM

All is good...thanks again.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 PM

Posted 18 December 2008 - 10:04 AM

I'm glad I could help you out! :thumbsup:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users