Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

explorer.exe at 99 CPU - HJT Log included


  • This topic is locked This topic is locked
12 replies to this topic

#1 PixelPlay

PixelPlay

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 03 April 2009 - 07:21 AM

explorer.exe has hit 99 CPU and is causing 100% CPU usage this is the first time I've encountered this.

I haven't scanned my computer with anything yet.

I use these programs to protect my system frequently: Avira AntiVir, Malwarebytes Anti-Malware, Spybot Search & Destroy, SUPERAntiSpyware
I also have Ad-Aware and SpywareBlaster but I do not use those frequently.

Any help as soon as possible is greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:07 AM, on 4/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\taskmgr.exe
L:\FirefoxPortable\FirefoxPortable.exe
L:\FirefoxPortable\App\firefox\firefox.exe
C:\Program Files\trend micro\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72DA05E9-6318-4472-85BA-D7905BFE250E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/harv...t-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.2.5.28/mahj...g-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.2.5.28/flin...r-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.2.4.23/popf...u-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.5.28/whac...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.5.28/word...g-ob-assets.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9008 bytes

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:46 PM

Posted 11 April 2009 - 04:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 11 April 2009 - 11:53 PM

Hi Orange Blossom thank you so much for your response!

Description:
A few days back explorer.exe was running super high taking about 100% CPU usage and I couldn't open anything. This has happened a few times before but has since happened I'm coming here to make sure everything is in order on my computer.

I just recently updated and scanned with Spybot - Search & Destroy to my surprise it found Smitfraud-C!!
There were 2 instances found on my profile and on my mom's.
It could delete the one on my profile and told me to restart and let it run on start up. After letting it scan at start up it said that it had gotten rid of the Smitfraud-C but I feel as if something might be still around.

Right now I have updated and currently scanning with Malwarebytes Anti-Malware. I believe I scanned once before after posting this thread but it confirmed that it didn't detect anything.

I have Avira AntiVir Personal and I do not have any other firewall other than the one Windows XP came with. I am looking into getting a third party firewall so I'd like to be recommended one.

Edit: Also both my mom and I use Firefox Portable version 1.6.3.0 - Firefox version 3.0.7 equipped with the add-ons AdBlock Plus, NoScript, and WOT Web of Trust to better protect us against viruses and such.


DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Keo at 21:33:39.14 on Sat 04/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.243 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Keo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - No File
BHO: {72DA05E9-6318-4472-85BA-D7905BFE250E} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/harvest/harvest-ob-assets.cab
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/mahjong/mahjong-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/flinger/flinger-ob-assets.cab
DPF: Pop Fu by pogo - hxxp://game1.pogo.com/applet-6.2.4.23/popfu/popfu-ob-assets.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/whackdown/whackdown-ob-assets.cab
DPF: WordJong by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/wordjong/wordjong-ob-assets.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssttt.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-11-6 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-11-6 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-11-6 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-11-6 52032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-2-13 20608]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-5 33752]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-2-13 477696]

=============== Created Last 30 ================

2009-03-14 01:22 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 21:20 6,632 a------- c:\docume~1\keo\applic~1\wklnhst.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2006-12-12 12:19 1,528 a------- c:\program files\main.ini
2005-06-12 23:07 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-09-05 03:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 21:34:24.23 ===============

Attached Files


Edited by PixelPlay, 12 April 2009 - 12:19 AM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:46 AM

Posted 13 April 2009 - 09:21 AM

Hi PixelPlay,

There seems to be signs of non-wanted things left there. Let's try to move those too :thumbup2:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 13 April 2009 - 07:42 PM

Hello Blade81 and thank you so much for coming to my rescue!

Geez I've never been instructed to use ComboFix before I hope it isn't that terrible.

I noticed that my Internet Explorer icon has reappeared on my desktop I'm suspecting this was done by ComboFix?
I actually removed that myself as the users on this computer do not use Internet Explorer to access the internet to free room on the desktop.

EDIT: Also I noticed that there are instances of AOL still on my system that I uninstalled a long while back. Not that it's a big surprise since I found out AOL is hard to remove but is there a guide you might recommend to completely remove it?

ComboFix.txt
- - - - -


ComboFix 09-04-13.A2 - Keo 2009-04-13 17:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.229 [GMT -7:00]
Running from: c:\documents and settings\Keo\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\isgTi19
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\customer_cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\heart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\menu_down.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\menu_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\plates.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\ticket.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\tray.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_bring_check_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_deliver_order_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_diner.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_food_ready_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_gain_heart_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_pencil_write_2.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_rollover_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_seat_people_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\choosedifficulty.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\credits.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\flo_lose.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\flo_win.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\help1.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\help2.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\highscores.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\levelintro.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\levelintro_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\levelover.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\levelover_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\popup.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\popup_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\upgradegrid.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\upgradetitle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\upsell.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\arrowleft_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\arrowleft_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\arrowright_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\arrowright_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\back_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\back_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\backchalk.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\backchalkup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\backtomenu_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\backtomenu_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\cancel.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\cancelup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\career_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\close.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\closeup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\continue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\continueover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\credits_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\credits_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\download_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\download_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\easy.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\easy_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\endlessshift.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\endlessshift_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\hard.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\hard_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\help.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\help_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\highscores.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\highscores_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\instructions_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\instructions_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\letsplay.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\letsplayover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\medium.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\medium_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\moreinfo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\moreinfoup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\off_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\on_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\pause.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\pauseover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\quit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\quitgame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\quitgameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\quitover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\resumegame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\resumegameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\submit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\submitup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\tryagain.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\tryagainover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\upgrade_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\upgrade_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\viewglobal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\viewglobalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\viewhighscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\viewhighscoreon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\viewlocal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\viewlocalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\comics\webcomic.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\config\career.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\config\customer.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\config\endless.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\config\global.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\config\powerups.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cook\cook.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cook\cook.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cook\stove.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cursor\arrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cursor\click.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cursor\click2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cursor\grab.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\cursor\open.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\flo\idle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\flo\idle.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\flo\lower.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\flo\lower.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\flo\upper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\flo\upper.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\fonts\arial.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\fonts\komikaaxis.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\chair.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\chair.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\dirt2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\dirt4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\dishcart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\dishcart.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\drinkstation_off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\drinkstation_on1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\drinkstation_on2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\ticketstation.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\ticketstation.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowdown.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowdownon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowleft.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowlefton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowright.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowrighton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\arrowupon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\p1icon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\textedit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\title.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_1.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_1_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_1_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_1_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_2.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_2_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_2_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_2_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_2_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_3.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_3_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_3_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_3_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\endless_1_3_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\fifth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\first_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\fourth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\layouts\second_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\playfirst_logo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\background.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\food\food1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\food\food1.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\food\food2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\food\food2.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\food\food3.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\food\food3.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\frames\upgrade_0001.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\tables\2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\tables\2top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\tables\4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\tables\4top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\upgrades.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\tableshadow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\choosedifficulty.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\chooseplayer.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\chooserestaurant.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\credits.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\game.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\gothighscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\help.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\help2.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\hiscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\hiscoreinfo.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\hiscoresubmit.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\levelintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\levelover.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\loading.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\mainloop.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\mainmenu.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\ok.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\pause.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\style.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\tutorialintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\upgrade.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\upsell.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\webcomic.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\scripts\yesno.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\splash\gamelabsplash.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\strings.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\angersmoke.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\angersmoke.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\chairflags.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\chairflags.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\check.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\checkmark.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\clock.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\closed.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\closingtime.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\coinflip.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\coinflip.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\dollar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\doodles\coffee.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\doodles\tables.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\doodles\wallpaper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\expert.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\expertscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\foodpoof.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\foodpoof.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\fork_timer.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\goalcompleted.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\heartgrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\heartgrow.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\jar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\jar.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\level.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\level_career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\score.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\sound.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\staroff.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\staron.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\tablenumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\tablenumberup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\traynumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\tutorial_character.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\tutorialarrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\tutorialbox.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgradeanim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgradeanim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgrades\drinks.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgrades\maitred.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgrades\oven.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgrades\select.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgrades\shoes.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgrades\stereo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\assets\ui\upgrades\table.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.72\dinerdash.exe
c:\windows\system32\_000006_.tmp.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 21:06 . 2008-08-18 08:47 -------- d-----w c:\documents and settings\Keo\Application Data\gtk-2.0
2009-04-07 05:44 . 2008-12-22 21:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 22:32 . 2008-12-22 21:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-12-22 21:52 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 12:05 . 2009-01-03 09:10 -------- d-----w c:\program files\trend micro
2009-04-01 05:22 . 2005-01-20 23:18 -------- d-----w c:\program files\Java
2009-03-30 00:49 . 2008-03-01 21:41 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-27 04:20 . 2005-06-16 22:33 6632 ----a-w c:\documents and settings\Keo\Application Data\wklnhst.dat
2009-03-23 10:08 . 2009-01-11 05:47 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 03:31 . 2008-02-22 19:19 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 03:30 . 2008-02-22 19:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 19:41 . 2005-07-17 02:29 -------- d-----w c:\program files\Common Files\Adobe
2009-03-12 08:24 . 2009-03-12 08:24 268 ---ha-w C:\sqmdata01.sqm
2009-03-12 08:24 . 2009-03-12 08:24 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-09 12:19 . 2009-01-05 16:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-01 23:12 . 2009-03-01 23:02 -------- d-----w c:\documents and settings\Owner\Application Data\Amazon
2009-03-01 23:12 . 2009-03-01 23:00 -------- d-----w c:\program files\Amazon
2009-02-22 00:58 . 2009-01-11 05:47 -------- d-----w c:\program files\SpywareBlaster
2009-02-16 19:45 . 2005-06-13 18:43 49608 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 11:13 . 2004-08-26 16:12 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-25 08:38 . 2005-06-16 22:33 49608 -c--a-w c:\documents and settings\Keo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-17 21:15 . 2008-08-28 04:02 0 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat
2008-08-22 16:27 . 2005-07-16 22:04 152 -c--a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
2008-08-22 14:55 . 2005-07-16 22:05 43392 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-07 07:21 . 2005-06-13 18:43 1574 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-04-09 22:21 . 2008-04-09 22:21 128 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2008-02-14 20:31 . 2008-02-14 20:31 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2006-12-12 19:19 . 2006-12-12 19:19 1528 ----a-w c:\program files\main.ini
2006-02-12 08:13 . 2006-02-12 08:13 126 -c--a-w c:\documents and settings\Keo\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-29 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-20 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" [2004-07-12 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-01-20 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-10 22:32 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-08 20608]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-29 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
- - - - ORPHANS REMOVED - - - -

BHO-{16A6B9AD-E30C-421D-BC7C-9762DB80A411} - (no file)
BHO-{50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - (no file)
BHO-{72DA05E9-6318-4472-85BA-D7905BFE250E} - (no file)
BHO-{845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - (no file)
BHO-{C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/harvest/harvest-ob-assets.cab
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/mahjong/mahjong-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/flinger/flinger-ob-assets.cab
DPF: Pop Fu by pogo - hxxp://game1.pogo.com/applet-6.2.4.23/popfu/popfu-ob-assets.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/whackdown/whackdown-ob-assets.cab
DPF: WordJong by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/wordjong/wordjong-ob-assets.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 17:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2325555270-2408979141-2192592470-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-13 17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-14 00:17

Pre-Run: 105,262,071,808 bytes free
Post-Run: 105,268,678,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

462 --- E O F --- 2009-03-13 04:52



DDS.txt
- - - - -



DDS (Ver_09-03-16.01) - NTFSx86
Run by Keo at 17:35:26.32 on Mon 04/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.283 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Keo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {72DA05E9-6318-4472-85BA-D7905BFE250E} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/harvest/harvest-ob-assets.cab
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/mahjong/mahjong-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/flinger/flinger-ob-assets.cab
DPF: Pop Fu by pogo - hxxp://game1.pogo.com/applet-6.2.4.23/popfu/popfu-ob-assets.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/whackdown/whackdown-ob-assets.cab
DPF: WordJong by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/wordjong/wordjong-ob-assets.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-11-6 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-11-6 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-11-6 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-11-6 52032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-2-13 20608]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-5 33752]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-2-13 477696]

=============== Created Last 30 ================

2009-04-13 17:07 <DIR> a-dshr-- C:\cmdcons
2009-04-13 17:03 161,792 a------- c:\windows\SWREG.exe
2009-04-13 17:03 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 21:20 6,632 a------- c:\docume~1\keo\applic~1\wklnhst.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2006-12-12 12:19 1,528 a------- c:\program files\main.ini
2005-06-12 23:07 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-09-05 03:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 17:36:08.40 ===============

Edited by PixelPlay, 13 April 2009 - 07:46 PM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:46 AM

Posted 14 April 2009 - 07:46 AM

Hi

Yes, that IE icon was placed there by CF.

Let's see what can be done to AOL.

Uninstall AOL related things (those with AOL name mentioned) thru add/remove programs.

Uninstall also vulnerable Java 2 Runtime Environment, SE v1.4.2.


Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\Common Files\AOL
c:\program files\AOL Toolbar

DDS::
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - No File
BHO: {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - No File
BHO: {72DA05E9-6318-4472-85BA-D7905BFE250E} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOLDialer"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Edited by Blade81, 14 April 2009 - 07:47 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 15 April 2009 - 02:20 AM

Hello thank you for your timely response. :]

EDIT: Before I get to your instructions, I've noticed that when I boot up my computer before it boots into Windows XP it give me a black screen that gives me these 2 options: Recovery Console or Windows XP. It stays like that for a couple seconds then automatically boots into Windows XP without a response from me. Is this normal since I had a Recovery Console installed with ComboFix?

I uninstalled AOL Toolbar and AOL You Got Pictures Screen Saver.
I also uninstalled the Java 2 Runtime Environment, SE v1.4.2 and it had me reboot my system. I was sort of wondering what to do about it since it's outdated.

Did the ComboFix thing and I encountered a couple of issues.

While ComboFix was running "pv.cfexe" apparently crashed I guess you could call it; you know when you're prompted to decide whether to send Windows a report or something like that. This happened twice while ComboFix was running. I selected "Send Report" both times.

Also, while ComboFix was running, I wasn't aware that SUPERAntiSpyware actively runs, it popped up and said that my homepage was changed to "http://go.microsoft.com/fwlink/?LinkID=69157" and asked whether to allow or not. I selected "Allow" because I'm thinking ComboFix was responsible for this?
I myself changed the homepage of Internet Explorer to "about:blank" because it takes forever when I [rarely] open it, especially when it tries to connect to a webpage.

ATF-Cleaner freed 6,400KB.

ATF-Cleaner doesn't recognize Firefox I believe it is because users on this computer use Firefox Portable from PortableApps.com on 2 separate USB drives. Will this be an issue?

The Kasperky Online Scanner came up with nothing.

EDIT: I also had an issue after running DDS. When I started to reactivate my protection Spybot Search & Destroy TeaTimer gave me this dialog box that said something along the lines of "Confirm ... skip all changes while TeaTimer was disabled? This can be dangerous, do not answer "Yes" ... instructed as part of malware removal help to do so." I selected "No".

Thank you so much for your help!

By the way would you like me to attach logs or plainly post them?
- - - - - - - - - -

ComboFix 09-04-15.06 - Keo 04/14/2009 20:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.218 [GMT -7:00]
Running from: c:\documents and settings\Keo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keo\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\AOL
c:\program files\Common Files\AOL\AOL Spyware Protection\Update\aspupdate_us.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\backup.ini
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acscore.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\AcsInstA.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\AcsInstC.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acslang.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acsshutd.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\afixinst.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\afixlang.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\alsetup.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\ecuchk.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\ecuinst.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\eestart.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\instSup.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\iphinst.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\muinst.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\nmnetdet.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\nmntdtck.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\ocfcheck.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\ocpchk.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\ocpinst.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\sminstlp.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\stmninst.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\tbinst.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\tbsetup.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\wsfinst.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\wsfixchk.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\gui.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\gui.ini
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\instph.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\instSup.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\post.ini
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\postproc.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\ProgUpd.dll
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\rbm.bin
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\setup.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\Suite\setup.ini
c:\program files\Common Files\AOL\Backup\ACS\Rollback\US\acslang.exe
c:\program files\Common Files\AOL\Backup\ACS\Rollback\US\acssetup.exe
c:\program files\Common Files\AOL\Screensaver\uninst_ygpss.EXE
c:\program files\Common Files\AOL\System Information\acsconn.sim
c:\program files\Common Files\AOL\System Information\acsnetwork.sim
c:\program files\Common Files\AOL\System Information\iecutil.dll
c:\program files\Common Files\AOL\System Information\MFC71.dll
c:\program files\Common Files\AOL\System Information\modems.sim
c:\program files\Common Files\AOL\System Information\sinf.exe
c:\program files\Common Files\AOL\System Information\sinfcmn.dll
c:\program files\Common Files\AOL\System Information\summary.sim
c:\program files\Common Files\AOL\System Information\sysres.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 21:02 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 21:02 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 21:02 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 21:02 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 21:02 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 21:02 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 21:02 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 21:02 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 21:02 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 21:01 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 21:01 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 21:01 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 03:40 . 2005-01-20 23:18 -------- d-----w c:\program files\Java
2009-04-15 03:39 . 2006-05-19 07:01 -------- d-----w c:\program files\Yahoo!
2009-04-15 03:39 . 2008-03-01 23:39 -------- d-----w c:\program files\Lavasoft
2009-04-13 21:06 . 2008-08-18 08:47 -------- d-----w c:\documents and settings\Keo\Application Data\gtk-2.0
2009-04-07 05:44 . 2008-12-22 21:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 22:32 . 2008-12-22 21:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-12-22 21:52 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 12:05 . 2009-01-03 09:10 -------- d-----w c:\program files\trend micro
2009-03-30 00:49 . 2008-03-01 21:41 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-27 04:20 . 2005-06-16 22:33 6632 ----a-w c:\documents and settings\Keo\Application Data\wklnhst.dat
2009-03-23 10:08 . 2009-01-11 05:47 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 03:31 . 2008-02-22 19:19 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 03:30 . 2008-02-22 19:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 19:41 . 2005-07-17 02:29 -------- d-----w c:\program files\Common Files\Adobe
2009-03-12 08:24 . 2009-03-12 08:24 268 ---ha-w C:\sqmdata01.sqm
2009-03-12 08:24 . 2009-03-12 08:24 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-09 12:19 . 2009-01-05 16:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-26 16:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 23:12 . 2009-03-01 23:02 -------- d-----w c:\documents and settings\Owner\Application Data\Amazon
2009-02-22 00:58 . 2009-01-11 05:47 -------- d-----w c:\program files\SpywareBlaster
2009-02-20 18:09 . 2004-08-26 16:11 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 19:45 . 2005-06-13 18:43 49608 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-26 16:11 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-26 16:12 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-26 16:12 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-26 16:11 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-26 16:12 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-26 16:12 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-26 16:12 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-26 16:12 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-26 16:12 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-25 08:38 . 2005-06-16 22:33 49608 -c--a-w c:\documents and settings\Keo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-17 21:15 . 2008-08-28 04:02 0 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat
2008-08-22 16:27 . 2005-07-16 22:04 152 -c--a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
2008-08-22 14:55 . 2005-07-16 22:05 43392 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-07 07:21 . 2005-06-13 18:43 1574 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-04-09 22:21 . 2008-04-09 22:21 128 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2008-02-14 20:31 . 2008-02-14 20:31 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2006-12-12 19:19 . 2006-12-12 19:19 1528 ----a-w c:\program files\main.ini
2006-02-12 08:13 . 2006-02-12 08:13 126 -c--a-w c:\documents and settings\Keo\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-13_17.15.41.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 03:42 . 2009-04-15 03:42 16384 c:\windows\Temp\Perflib_Perfdata_580.dat
+ 2005-06-30 01:06 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2005-06-30 01:06 . 2007-07-27 16:41 26488 c:\windows\system32\spupdsvc.exe
- 2008-10-17 19:17 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2008-10-17 19:17 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2004-08-26 16:12 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2004-08-26 16:12 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
+ 2004-08-26 16:12 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
- 2004-08-26 16:12 . 2009-03-08 16:10 66126 c:\windows\system32\perfc009.dat
+ 2004-08-26 16:12 . 2009-04-15 03:36 66126 c:\windows\system32\perfc009.dat
+ 2004-08-26 18:00 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2004-08-26 18:00 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
- 2004-08-26 16:12 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2004-08-26 16:12 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
+ 2006-11-08 05:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 05:03 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
+ 2004-08-26 18:00 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2004-08-26 18:00 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 11:26 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 11:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
- 2004-08-26 16:11 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 78336 c:\windows\system32\ieencode.dll
+ 2004-08-26 16:11 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-26 16:11 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
- 2006-10-17 19:58 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
+ 2006-10-17 19:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2004-08-26 16:12 . 2009-02-06 10:39 35328 c:\windows\system32\dllcache\sc.exe
- 2004-08-26 16:12 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
- 2007-05-09 23:40 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 23:40 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-05-09 23:40 . 2008-12-19 09:10 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-05-09 23:40 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2004-08-26 16:11 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-26 16:11 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-26 16:11 . 2008-12-19 09:10 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-04-14 21:42 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-04-14 21:42 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-04-14 21:42 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-04-14 21:42 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-04-14 21:42 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
+ 2009-04-14 21:01 . 2008-05-03 11:55 2560 c:\windows\system32\xpsp4res.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 826368 c:\windows\system32\wininet.dll
+ 2004-08-26 16:12 . 2009-03-03 00:18 826368 c:\windows\system32\wininet.dll
+ 2004-08-26 16:12 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2004-08-26 16:12 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2004-08-26 18:00 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2004-08-26 18:00 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2004-08-26 18:00 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
+ 2004-08-26 16:12 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2004-08-26 16:12 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
- 2004-08-26 16:12 . 2009-03-08 16:10 409660 c:\windows\system32\perfh009.dat
+ 2004-08-26 16:12 . 2009-04-15 03:36 409660 c:\windows\system32\perfh009.dat
+ 2004-08-26 16:12 . 2009-03-06 14:22 284160 c:\windows\system32\pdh.dll
- 2004-08-26 16:12 . 2008-04-14 00:12 284160 c:\windows\system32\pdh.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
+ 2004-08-26 16:12 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2006-11-08 05:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
- 2006-11-08 05:03 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
- 2004-08-26 18:00 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
+ 2004-08-26 18:00 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2004-08-26 18:00 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-26 18:00 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-26 18:00 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2004-08-26 16:11 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
+ 2004-08-26 16:11 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2004-08-26 16:11 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2006-10-17 19:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
- 2006-10-17 19:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
+ 2006-10-17 19:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2004-08-26 16:11 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
+ 2004-08-26 16:11 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
+ 2009-04-14 21:01 . 2008-04-21 12:08 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2009-04-14 21:02 . 2009-02-06 10:10 227840 c:\windows\system32\dllcache\wmiprvse.exe
+ 2009-04-14 21:02 . 2009-02-09 12:10 453120 c:\windows\system32\dllcache\wmiprvsd.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-26 16:12 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2009-04-14 21:02 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\services.exe
+ 2009-04-14 21:02 . 2009-02-09 12:10 401408 c:\windows\system32\dllcache\rpcss.dll
+ 2009-04-14 21:02 . 2009-03-06 14:22 284160 c:\windows\system32\dllcache\pdh.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
+ 2009-04-14 21:02 . 2009-02-09 12:10 714752 c:\windows\system32\dllcache\ntdll.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 23:40 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 23:40 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2009-04-14 21:02 . 2009-02-09 12:10 729088 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2004-08-26 18:01 . 2009-02-28 04:54 636072 c:\windows\system32\dllcache\iexplore.exe
+ 2007-05-09 23:40 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-09 23:40 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-09 23:40 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2004-08-26 16:11 . 2008-12-19 05:23 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-26 16:11 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2009-04-14 21:02 . 2009-02-09 12:10 473600 c:\windows\system32\dllcache\fastprox.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2009-04-14 21:02 . 2009-02-09 12:10 617472 c:\windows\system32\dllcache\advapi32.dll
+ 2004-08-26 16:11 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
- 2004-08-26 16:11 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
+ 2004-08-26 16:11 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
- 2004-08-26 16:11 . 2008-04-14 00:11 617472 c:\windows\system32\advapi32.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-04-14 21:42 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-04-14 21:42 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-04-14 21:42 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-04-14 21:42 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-04-14 21:42 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-04-14 21:42 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2004-08-26 16:12 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-26 16:12 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2004-08-26 16:12 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2004-08-26 16:12 . 2009-02-06 11:08 2189056 c:\windows\system32\ntoskrnl.exe
+ 2004-08-04 05:59 . 2009-02-08 02:02 2066048 c:\windows\system32\ntkrnlpa.exe
- 2004-08-04 05:59 . 2008-08-14 09:33 2066048 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-26 16:12 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2006-11-08 05:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
- 2006-09-06 07:01 . 2007-04-17 09:28 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-09-06 07:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2004-08-26 16:12 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-26 16:12 . 2008-12-20 23:15 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-15 05:57 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-15 05:57 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 05:57 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 05:57 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 05:57 . 2009-02-08 02:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 05:57 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-15 05:57 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-26 16:12 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 23:40 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-09 23:40 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
- 2007-05-09 23:40 . 2007-04-17 09:28 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-04-14 21:42 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-04-14 21:42 . 2009-01-17 05:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-04-14 21:42 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-04-14 21:42 . 2007-04-17 09:28 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-15 05:57 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-15 05:57 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 05:57 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 05:57 . 2009-02-08 02:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 05:57 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 05:57 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 05:57 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2005-06-15 01:30 . 2009-04-06 14:57 24921544 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-30 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-20 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-1-20 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-11 05:32 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-09 20608]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-30 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
.
------- Supplementary Scan -------
.
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/harvest/harvest-ob-assets.cab
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/mahjong/mahjong-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/flinger/flinger-ob-assets.cab
DPF: Pop Fu by pogo - hxxp://game1.pogo.com/applet-6.2.4.23/popfu/popfu-ob-assets.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/whackdown/whackdown-ob-assets.cab
DPF: WordJong by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/wordjong/wordjong-ob-assets.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 21:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2325555270-2408979141-2192592470-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-04-15 21:02
ComboFix-quarantined-files.txt 2009-04-15 04:02
ComboFix2.txt 2009-04-14 00:17

Pre-Run: 104,897,556,480 bytes free
Post-Run: 104,851,361,792 bytes free

439 --- E O F --- 2009-04-14 21:42


-
-
DDS Log
-
-



DDS (Ver_09-03-16.01) - NTFSx86
Run by Keo at 23:48:40.03 on Tue 04/14/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.273 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Keo\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {72DA05E9-6318-4472-85BA-D7905BFE250E} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AOL Toolbar search
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/harvest/harvest-ob-assets.cab
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/mahjong/mahjong-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/flinger/flinger-ob-assets.cab
DPF: Pop Fu by pogo - hxxp://game1.pogo.com/applet-6.2.4.23/popfu/popfu-ob-assets.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/whackdown/whackdown-ob-assets.cab
DPF: WordJong by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/wordjong/wordjong-ob-assets.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-11-6 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-11-6 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-11-6 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-11-6 52032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-2-13 20608]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-5 33752]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-2-13 477696]

=============== Created Last 30 ================

2009-04-14 20:56 <DIR> --d----- C:\ComboFix
2009-04-14 14:02 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 14:02 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 14:02 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 14:02 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 14:02 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 14:02 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 14:02 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 14:02 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 14:02 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 14:01 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 14:01 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 14:01 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-13 17:07 <DIR> a-dshr-- C:\cmdcons
2009-04-13 17:03 161,792 a------- c:\windows\SWREG.exe
2009-04-13 17:03 98,816 a------- c:\windows\sed.exe
2009-03-21 07:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 21:20 6,632 a------- c:\docume~1\keo\applic~1\wklnhst.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2006-12-12 12:19 1,528 a------- c:\program files\main.ini
2005-06-12 23:07 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-09-05 03:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 23:49:48.11 ===============


-
-
KAS
-
-


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 14, 2009 21:34:55
Records in database: 2044254
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan statistics:
Files scanned: 50846
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:49:52

No malware has been detected. The scan area is clean.

The selected area was scanned.

Edited by PixelPlay, 15 April 2009 - 04:07 AM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:46 AM

Posted 15 April 2009 - 05:36 AM

Before I get to your instructions, I've noticed that when I boot up my computer before it boots into Windows XP it give me a black screen that gives me these 2 options: Recovery Console or Windows XP. It stays like that for a couple seconds then automatically boots into Windows XP without a response from me. Is this normal since I had a Recovery Console installed with ComboFix?

Yes, it's totally normal after successful recovery console installation :thumbup2:

Also, while ComboFix was running, I wasn't aware that SUPERAntiSpyware actively runs, it popped up and said that my homepage was changed to "http://go.microsoft.com/fwlink/?LinkID=69157" and asked whether to allow or not. I selected "Allow" because I'm thinking ComboFix was responsible for this?
I myself changed the homepage of Internet Explorer to "about:blank" because it takes forever when I [rarely] open it, especially when it tries to connect to a webpage.

Yes, ComboFix changed that. You may change it back to about:blank if you wish.

ATF-Cleaner doesn't recognize Firefox I believe it is because users on this computer use Firefox Portable from PortableApps.com on 2 separate USB drives. Will this be an issue?

No, it won't be an issue.

By the way would you like me to attach logs or plainly post them?

Posting them like you did is ok :)


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - No File
BHO: {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - No File
BHO: {72DA05E9-6318-4472-85BA-D7905BFE250E} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
IE: &AOL Toolbar search


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 15 April 2009 - 01:29 PM

Alright thank you very much for clearing up those questions for me. C=

Sorry did I mess something up when selecting "No" to that Teatimer message?

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:


Do you mean that it should remain off during the whole process of getting help? I re-enable it whenever I finish a scan that may interfere with it. I just feel safe with it running because we use the computer actively most of the time it's on the internet.

The "pv.cfexe" crashed twice again while running ComboFix, would you have a clue what this is? It happens right before the "Completed Stage" list.

After running ComboFix a dialog box opened in NotePad saying "Cannot find the C:\DOCUME~1\MyUsername\LOCALS~1\Temp\log.txt file." something something would you like to open a new notepad. I ended up with a blank notepad. Here's the log from C:\ComboFix.txt instead.

Everything seems pretty fine explorer.exe has yet to hit 99 Memory Usage again. I haven't scanned with any of the protection programs I have, so yeah. I guess it all depends on the logs I supply you. :thumbup2:

- - - - - - - - - -

ComboFix 09-04-15.06 - Keo 04/15/2009 10:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.183 [GMT -7:00]
Running from: c:\documents and settings\Keo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keo\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 21:02 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 21:02 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 21:02 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 21:02 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 21:02 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 21:02 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 21:02 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 21:02 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 21:02 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 21:01 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 21:01 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 21:01 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 03:40 . 2005-01-20 23:18 -------- d-----w c:\program files\Java
2009-04-15 03:39 . 2006-05-19 07:01 -------- d-----w c:\program files\Yahoo!
2009-04-15 03:39 . 2008-03-01 23:39 -------- d-----w c:\program files\Lavasoft
2009-04-13 21:06 . 2008-08-18 08:47 -------- d-----w c:\documents and settings\Keo\Application Data\gtk-2.0
2009-04-07 05:44 . 2008-12-22 21:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 22:32 . 2008-12-22 21:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-12-22 21:52 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 12:05 . 2009-01-03 09:10 -------- d-----w c:\program files\trend micro
2009-03-30 00:49 . 2008-03-01 21:41 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-27 04:20 . 2005-06-16 22:33 6632 ----a-w c:\documents and settings\Keo\Application Data\wklnhst.dat
2009-03-23 10:08 . 2009-01-11 05:47 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 03:31 . 2008-02-22 19:19 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 03:30 . 2008-02-22 19:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 19:41 . 2005-07-17 02:29 -------- d-----w c:\program files\Common Files\Adobe
2009-03-12 08:24 . 2009-03-12 08:24 268 ---ha-w C:\sqmdata01.sqm
2009-03-12 08:24 . 2009-03-12 08:24 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-09 12:19 . 2009-01-05 16:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-26 16:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 23:12 . 2009-03-01 23:02 -------- d-----w c:\documents and settings\Owner\Application Data\Amazon
2009-02-22 00:58 . 2009-01-11 05:47 -------- d-----w c:\program files\SpywareBlaster
2009-02-20 18:09 . 2004-08-26 16:11 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 19:45 . 2005-06-13 18:43 49608 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-26 16:11 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-26 16:12 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-26 16:12 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-26 16:11 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-26 16:12 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-26 16:12 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-26 16:12 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-26 16:12 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-26 16:12 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-25 08:38 . 2005-06-16 22:33 49608 -c--a-w c:\documents and settings\Keo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-17 21:15 . 2008-08-28 04:02 0 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat
2008-08-22 16:27 . 2005-07-16 22:04 152 -c--a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
2008-08-22 14:55 . 2005-07-16 22:05 43392 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-07 07:21 . 2005-06-13 18:43 1574 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-04-09 22:21 . 2008-04-09 22:21 128 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2008-02-14 20:31 . 2008-02-14 20:31 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2006-12-12 19:19 . 2006-12-12 19:19 1528 ----a-w c:\program files\main.ini
2006-02-12 08:13 . 2006-02-12 08:13 126 -c--a-w c:\documents and settings\Keo\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-15_04.00.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 17:52 . 2009-04-15 17:52 16384 c:\windows\Temp\Perflib_Perfdata_698.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-30 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-20 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-1-20 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-11 05:32 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-09 20608]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-30 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
.
------- Supplementary Scan -------
.
IE: &AOL Toolbar search
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/harvest/harvest-ob-assets.cab
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/mahjong/mahjong-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/flinger/flinger-ob-assets.cab
DPF: Pop Fu by pogo - hxxp://game1.pogo.com/applet-6.2.4.23/popfu/popfu-ob-assets.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/whackdown/whackdown-ob-assets.cab
DPF: WordJong by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/wordjong/wordjong-ob-assets.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2325555270-2408979141-2192592470-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3632)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-15 11:01
ComboFix-quarantined-files.txt 2009-04-15 18:01
ComboFix2.txt 2009-04-15 04:02
ComboFix3.txt 2009-04-14 00:17

Pre-Run: 104,765,947,904 bytes free
Post-Run: 104,832,724,992 bytes free

166 --- E O F --- 2009-04-14 21:42


-
-
DDS
-
-



DDS (Ver_09-03-16.01) - NTFSx86
Run by Keo at 11:20:41.35 on Wed 04/15/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.264 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Keo\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {72DA05E9-6318-4472-85BA-D7905BFE250E} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AOL Toolbar search
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Harvest Mania by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/harvest/harvest-ob-assets.cab
DPF: Mah Jong Garden by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/mahjong/mahjong-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/flinger/flinger-ob-assets.cab
DPF: Pop Fu by pogo - hxxp://game1.pogo.com/applet-6.2.4.23/popfu/popfu-ob-assets.cab
DPF: Word Whomp Whackdown by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/whackdown/whackdown-ob-assets.cab
DPF: WordJong by pogo - hxxp://game1.pogo.com/applet-6.2.5.28/wordjong/wordjong-ob-assets.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-11-6 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-11-6 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-11-6 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-11-6 52032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-2-13 20608]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-5 33752]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-2-13 477696]

=============== Created Last 30 ================

2009-04-14 14:02 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 14:02 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 14:02 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 14:02 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 14:02 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 14:02 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 14:02 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 14:02 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 14:02 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 14:01 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 14:01 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 14:01 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-13 17:07 <DIR> a-dshr-- C:\cmdcons
2009-04-13 17:03 161,792 a------- c:\windows\SWREG.exe
2009-04-13 17:03 98,816 a------- c:\windows\sed.exe
2009-03-21 07:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 21:20 6,632 a------- c:\docume~1\keo\applic~1\wklnhst.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2006-12-12 12:19 1,528 a------- c:\program files\main.ini
2005-06-12 23:07 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-09-05 03:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 11:21:24.26 ===============

Edited by PixelPlay, 15 April 2009 - 01:30 PM.


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:46 AM

Posted 16 April 2009 - 08:10 AM

Sorry did I mess something up when selecting "No" to that Teatimer message?

Those fixed registry entries came back and seems that of some reason ComboFix didn't fix them now. I suggest you uninstall Spybot for now and install it again after we've finished. That way TeaTimer won't bring those values back again when you turn it on.

Let's try with hijackthis.

Start hjt, do a system scan, check (if found):
O2 - BHO: (no name) - {16A6B9AD-E30C-421D-BC7C-9762DB80A411} - (no file)
O2 - BHO: (no name) - {50EA1CF4-844B-488C-9BCB-9CF61F01C48B} - (no file)
O2 - BHO: (no name) - {72DA05E9-6318-4472-85BA-D7905BFE250E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {845324B4-4AF5-4B1A-8AE5-B410D81A00C8} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {C1D3DB59-AE8F-4552-9E36-38AC6D96081E} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML


Close browsers and fix checked.

Reboot and post a fresh hjt log. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 16 April 2009 - 08:24 AM

Hold on before I miss you. I just tried uninstalling Spybot S&D through Add and Remove Programs but it said afterward something like: Some traces could not be removed. These can be removed manually.
The Teatimer tray icon is still here when I right click on it the "Run Spybot S&D" is grayed out.

What am I suppose to do?

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:46 AM

Posted 16 April 2009 - 04:21 PM

Hi

Reboot and see if the icon still appears there. If it does, see what folders with Spybot in their name you can find in c:\program files folder.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:46 AM

Posted 26 April 2009 - 12:24 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users