Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't open up anti-virus or spyware programs


  • Please log in to reply
11 replies to this topic

#1 Crazy_mofo213

Crazy_mofo213

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 23 September 2009 - 06:27 PM

Every time I try to open an anti-virus program i'm met with a message that says
"Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item"

I find it odd because when I first ran Malwarebytes I was able to scan for about a minute before it closed on me. Ever since then I've been met with the message above everytime I try to open it.

Another problem I'm having is that everytime I search on google, I'm redirected to random sites.

Heres what I got from Win32kDiag:

Running from: C:\Documents and Settings\Windows XP\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Windows XP\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\windows'...



Found mount point : C:\windows\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB928388\KB928388

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB929120\KB929120

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE22.tmp\ZAPE22.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFBE.tmp\ZAPFBE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\windows\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2008-04-14 05:42:22 744448 C:\windows\pchealth\helpctr\binaries\HelpSvc.exe ()

[1] 2008-04-14 05:42:22 744448 C:\windows\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\windows\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\appmgmt\S-1-5-21-1993962763-879983540-1606980848-1003\S-1-5-21-1993962763-879983540-1606980848-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\windows\system32\dumprep.exe

[1] 2008-04-14 05:42:20 10752 C:\windows\system32\dllcache\dumprep.exe (Microsoft Corporation)

[1] 2008-04-14 05:42:20 10752 C:\windows\system32\dumprep.exe ()



Cannot access: C:\windows\system32\eventlog.dll

[1] 2008-04-14 05:41:54 56320 C:\windows\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 05:41:54 61952 C:\windows\system32\eventlog.dll ()

[2] 2008-04-14 05:41:54 56320 C:\windows\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\windows\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\Macromed\Shockwave 8\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\AskBarDis\upgrade\upgrade

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\CTZAPXX\Drivers\Drivers

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\DX1655.tmp\directx\directx

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\DX1655.tmp\drivers\drivers

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\DX1655.tmp\help\help

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\DX1655.tmp\inf\inf

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\DX1655.tmp\sysbackup\sysbackup

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\DX1655.tmp\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\WinSxS\WMSET10\wpdmtp\xscan_xp\NPSWF32\NPSWF32

Mount point destination : \Device\__max++>\^



Finished!

And here's the log

Volume in drive C has no label.
Volume Serial Number is 2C43-9EB0

Directory of C:\windows\system32

04/14/2008 05:42 181,248 scecli.dll

Directory of C:\windows\system32

04/14/2008 05:42 407,040 netlogon.dll

Directory of C:\windows\system32

04/14/2008 05:41 61,952 eventlog.dll
3 File(s) 650,240 bytes

Directory of C:\windows\system32\dllcache

04/14/2008 05:42 181,248 scecli.dll

Directory of C:\windows\system32\dllcache

04/14/2008 05:42 407,040 netlogon.dll

Directory of C:\windows\system32\dllcache

04/14/2008 05:41 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
6 File(s) 1,294,848 bytes
0 Dir(s) 93,049,757,696 bytes free

Edited by Crazy_mofo213, 23 September 2009 - 06:28 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:56 AM

Posted 10 October 2009 - 10:23 AM

Hello Crazy_mofo213

Welcome to Welcome to BleepingComputer :(
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Crazy_mofo213

Crazy_mofo213
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 16 October 2009 - 07:33 PM

Hello and thanks for replying. I tried both scans, however, as soon as the scans were complete the programs closed.
Now everytime I try to open the programs I'm met with the same error which is:
"Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item"

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:56 AM

Posted 17 October 2009 - 09:31 AM

Ok not a problem.

Go to Start > Run then type in cmd then hit ok.
Then copy and paste in this line below in bold:
copy /y C:\windows\system32\dllcache\eventlog.dll C:\
then hit the Enter key and it should say 1File(s) copied.If it does not say that then stop and tell me.
=======================
If it goes correctly then please proceed as outlined below.


1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\eventlog.dll | C:\windows\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Crazy_mofo213

Crazy_mofo213
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 24 October 2009 - 03:02 PM

Ok, here's the avenger.txt:


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\windows\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:56 AM

Posted 24 October 2009 - 05:26 PM

First temporarily disable any antivirus program or any real time shields that are present:
If you do not know how then you can refer to this link:
http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
================
Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Crazy_mofo213

Crazy_mofo213
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 25 October 2009 - 02:05 AM

Here's the report:

ComboFix 09-10-24.01 - Windows XP 10/24/2009 22:17.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.562 [GMT -7:00]
Running from: c:\documents and settings\Windows XP\Desktop\kahdah.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Windows XP\Application Data\.#
c:\documents and settings\Windows XP\Application Data\.#\MBX@B04@93CFC0.###
c:\documents and settings\Windows XP\Application Data\.#\MBX@B04@93E7D0.###
c:\documents and settings\Windows XP\Application Data\.#\MBX@B04@93E880.###
c:\documents and settings\Windows XP\Application Data\.#\MBX@B04@93EAE0.###
c:\documents and settings\Windows XP\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Windows XP\Local Settings\Temporary Internet Files\awesu.dll
c:\documents and settings\Windows XP\Local Settings\Temporary Internet Files\jehi.lib
c:\documents and settings\Windows XP\Local Settings\Temporary Internet Files\savy.sys
C:\p2hhr.bat
c:\program files\Common Files\adypefel.bat
c:\program files\Common Files\ujajadyge.reg
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\config.ini
c:\program files\Dealio Toolbar\DealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\separator.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SearchSettings.dll
c:\program files\Dealio Toolbar\SearchSettings.exe
c:\program files\Dealio Toolbar\SearchSettingsRes409.dll
c:\program files\Dealio Toolbar\sscfg.ini
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\windows\avicahuhi.bat
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\ryjylymexo.scr
c:\windows\system32\auwpmcsg.ini
c:\windows\system32\bennuar.old
c:\windows\system32\dumphive.exe
c:\windows\system32\hidjhyhh.ini
c:\windows\system32\HRtsDfhk.ini
c:\windows\system32\HRtsDfhk.ini2
c:\windows\system32\IEDFix.exe
c:\windows\system32\ieupdates.exe.tmp
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\jihkknpo.ini
c:\windows\system32\jihkknpo.ini2
c:\windows\system32\Process.exe
c:\windows\system32\siwxjjsb.ini
c:\windows\system32\sonhelp.htm
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\tcmahain.ini
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\VyIilnnn.ini
c:\windows\system32\VyIilnnn.ini2
c:\windows\system32\wispex.html
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 05:38 . 2009-10-25 05:38 -------- d-----w- C:\$AVG
2009-10-24 16:44 . 2009-10-24 16:44 -------- d-----w- c:\documents and settings\Windows XP\Application Data\AVG8
2009-10-24 16:23 . 2009-10-24 16:23 -------- d-----w- c:\program files\Spyware Doctor
2009-10-24 16:23 . 2009-10-24 16:23 -------- d-----w- c:\documents and settings\Windows XP\Application Data\PC Tools
2009-10-21 02:21 . 2009-10-22 23:21 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-21 02:21 . 2009-10-21 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-21 00:54 . 2009-10-21 00:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-10-21 00:52 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-21 00:50 . 2009-10-21 00:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-21 00:50 . 2009-10-21 00:50 -------- d-----w- c:\program files\Lavasoft
2009-10-21 00:50 . 2009-10-21 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-20 04:01 . 2009-10-20 04:01 -------- d-----w- c:\documents and settings\Windows XP\Local Settings\Application Data\Threat Expert
2009-10-18 04:14 . 2009-10-18 04:14 -------- d-----w- c:\program files\VALVe
2009-10-17 00:09 . 2009-10-17 00:09 291328 ----a-w- C:\cmjb6k4l.exe
2009-10-06 14:24 . 2009-10-06 14:24 -------- d-----w- C:\Sega
2009-10-05 00:38 . 2009-10-05 00:40 -------- d-----w- c:\program files\Guilty Gear ISUKA
2009-09-27 23:50 . 2009-10-18 23:12 -------- d-----w- c:\program files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 05:11 . 2009-04-05 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-25 05:11 . 2009-04-05 17:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-24 19:59 . 2008-08-25 03:14 -------- d-----w- c:\program files\lx_cats
2009-10-24 16:23 . 2009-09-07 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-24 16:20 . 2008-11-02 20:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-22 23:22 . 2009-09-10 03:06 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-22 23:21 . 2009-09-10 03:06 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-21 02:22 . 2009-09-16 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-21 02:21 . 2009-09-10 03:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-21 02:21 . 2009-09-10 03:06 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-21 02:21 . 2009-09-10 01:57 -------- d-----w- c:\program files\AVG
2009-10-21 01:06 . 2008-07-02 23:26 -------- d-----w- c:\program files\Google
2009-10-21 00:55 . 2002-01-04 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-21 00:35 . 2002-01-04 03:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-21 00:33 . 2009-09-23 15:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 23:13 . 2009-05-06 00:56 -------- d-----w- c:\program files\Acoustica Mixcraft 4
2009-10-18 23:16 . 2009-06-13 06:21 -------- d-----w- c:\program files\Counter-Strike 1.6 V40
2009-10-03 15:29 . 2009-09-06 05:26 -------- d-----w- c:\program files\RegCure
2009-09-23 16:02 . 2009-09-13 20:46 -------- d-----w- c:\program files\Download Direct
2009-09-23 15:55 . 2009-09-23 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 00:48 . 2002-01-04 04:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 00:29 . 2009-09-20 00:29 -------- d-----w- c:\program files\Ubisoft
2009-09-18 14:16 . 2009-09-18 14:16 -------- d-----w- c:\documents and settings\Windows XP\Application Data\Search Settings
2009-09-18 14:16 . 2009-09-18 14:16 -------- d-----w- c:\documents and settings\Windows XP\Application Data\Dealio
2009-09-18 12:10 . 2009-09-18 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-16 21:35 . 2009-08-22 06:14 25 ----a-w- c:\windows\popcinfot.dat
2009-09-16 21:35 . 2009-08-22 03:03 -------- d-----w- c:\program files\Plants Vs Zombies
2009-09-13 20:37 . 2002-01-03 10:31 92384 ----a-w- c:\documents and settings\Windows XP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 23:42 . 2009-09-10 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-09-10 21:54 . 2009-09-23 15:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-09-23 15:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 02:36 . 2009-03-14 04:01 -------- d-----w- c:\program files\Activision
2009-09-10 02:33 . 2008-07-05 05:46 -------- d-----w- c:\documents and settings\Windows XP\Application Data\Lavasoft
2009-09-10 02:30 . 2009-09-06 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-10 01:21 . 2009-09-10 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Gtek
2009-09-10 01:21 . 2009-09-10 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-09 04:46 . 2008-08-08 13:25 256 ----a-w- c:\windows\system32\pool.bin
2009-09-09 03:18 . 2009-09-09 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-09 03:18 . 2009-09-09 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-09 02:51 . 2009-04-05 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-07 20:44 . 2009-08-14 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-06 21:40 . 2009-09-06 21:40 -------- d-----w- c:\program files\Trend Micro
2009-09-06 07:05 . 2009-09-06 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-06 07:04 . 2009-09-06 07:04 -------- d-----w- c:\program files\Common Files\iS3
2009-09-06 05:40 . 2009-09-06 05:40 -------- d-----w- c:\program files\ToniArts
2009-09-06 04:49 . 2009-09-06 04:47 -------- d-----w- c:\program files\SpyNoMore
2009-09-06 04:47 . 2009-09-06 04:47 1152 ----a-w- c:\windows\system32\windrv.sys
2009-09-06 04:47 . 2009-08-14 00:05 -------- d-----w- c:\documents and settings\Windows XP\Application Data\GetRightToGo
2009-09-06 03:48 . 2009-03-01 23:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-06 03:39 . 2009-09-06 03:39 687104 ----a-w- c:\windows\is-ENRAR.exe
2009-09-06 03:00 . 2009-09-06 03:00 17405 ----a-w- c:\documents and settings\Windows XP\Application Data\ejonyl.bin
2009-09-06 03:00 . 2009-09-06 03:00 15169 ----a-w- c:\documents and settings\Windows XP\Local Settings\Application Data\ezokilu.pif
2009-09-06 03:00 . 2009-09-06 03:00 14639 ----a-w- c:\documents and settings\Windows XP\Local Settings\Application Data\wirom.exe
2009-09-06 03:00 . 2009-09-06 03:00 12486 ----a-w- c:\documents and settings\Windows XP\Application Data\ecaf.scr
2009-09-06 03:00 . 2009-09-06 03:00 10915 ----a-w- c:\windows\system32\owokyhuqy.pif
2009-09-06 03:00 . 2009-09-06 03:00 10879 ----a-w- c:\program files\Common Files\jivak.dat
2009-09-06 00:27 . 2009-09-06 00:27 -------- d-----w- c:\program files\Sega
2009-09-02 00:49 . 2009-09-02 00:49 -------- d-----w- c:\program files\Common Files\NSV
2009-08-30 04:25 . 2009-08-16 02:49 255 ----a-w- c:\windows\PowerReg.dat
2009-08-30 04:24 . 2009-08-30 04:24 -------- d-----w- c:\program files\Hasbro Interactive
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT1654.tmp
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT1653.tmp
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT1652.tmp
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT1651.tmp
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT1650.tmp
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT164F.tmp
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT164E.tmp
2009-08-30 04:24 . 2009-08-30 04:24 0 ----a-w- c:\windows\DXT164D.tmp
2009-08-23 00:21 . 2009-08-23 00:13 12265 ----a-w- c:\windows\scunin.dat
2009-08-23 00:13 . 2009-08-23 00:13 967 ----a-w- c:\windows\ScUnin.pif
2009-08-23 00:13 . 2009-08-23 00:13 68096 ----a-w- c:\windows\ScUnin.exe
2009-08-17 01:43 . 2008-12-31 23:23 1014 ----a-w- c:\windows\eReg.dat
2009-08-16 02:49 . 2009-08-16 02:43 905 ----a-w- c:\program files\uninstal.log
2009-08-05 09:01 . 2008-04-14 12:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-05-31 20:49 . 2009-05-31 20:49 25 ----a-w- c:\program files\popcinfot.dat
2006-12-13 03:12 . 2002-01-04 04:25 66648 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2002-01-04 04:25 54352 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2002-01-04 04:25 34928 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2002-01-04 04:25 46696 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2002-01-04 04:25 172120 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-07 05:01 . 2008-09-07 04:38 56 --sh--r- c:\windows\system32\41E010771D.sys
2008-09-07 05:01 . 2008-09-07 04:38 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-18 19:28 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"L07AXLRD_59744406"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" [2006-06-10 351000]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-01 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-01 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-01 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2007-11-15 1212368]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-22 2010904]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-02-08 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

c:\documents and settings\Windows XP\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-1-21 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-21 02:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NOD32FiXTemDono"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Sierra\\Half-Life\\hl.exe"=
"c:\\Program Files\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Sierra\\Half-Life\\hltv.exe"=
"c:\\Sierra\\Half-Life\\hlds.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/20/2009 7:21 PM 161800]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/20/2009 5:52 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/9/2009 8:06 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/9/2009 8:06 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 74480]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/20/2009 7:21 PM 285392]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [5/24/2009 9:50 PM 234888]
S2 gupdate1ca51e87f4c1cbc;Google Update Service (gupdate1ca51e87f4c1cbc);c:\program files\Google\Update\GoogleUpdate.exe [10/20/2009 5:50 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 4:17 AM 1169232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}]
c:\documents and settings\Windows XP\Desktop\Youtube.exe Restart
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:06]

2009-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-21 00:50]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-21 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
LSP: xfire_lsp_10650.dll
Trusted Zone: aol.com\free
Trusted Zone: nintendo.com\club
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Windows XP\Application Data\Mozilla\Firefox\Profiles\f0buqek6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2031308&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - DigitalPowered Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2031308&q=
.
- - - - ORPHANS REMOVED - - - -

BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
Toolbar-Locked - (no file)
WebBrowser-{E738F11F-B0F3-4E0D-A5CA-6ED7B0BD4F5D} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
HKCU-Run-NtSysTools - c:\documents and settings\Windows XP\Desktop\Youtube.exe
HKCU-Run-DLD.EXE - (no file)
HKLM-Run-CTStartup - c:\program files\Creative\Splash Screen\CTEaxSpl.EXE
HKLM-Run-SearchSettings - c:\program files\Dealio Toolbar\SearchSettings.exe
Notify-rqRLefEV - (no file)
AddRemove-Final Fantasy VII XP Patch - c:\program files\Square Soft
AddRemove-Sonic R - c:\sega\SonicR\directx\setup
AddRemove-SONICADVDX - c:\documents and settings\Windows XP\Desktop\Sonic Adventure DX\unsetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 22:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???P????&3?????\??? ??? ???\???\???????????5?B~e?B~\???\?????????`??????C@?\???\??????sP???\??????s\????&3?A??s?&3??C@?x???`|?w\?????@
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-879983540-1606980848-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c5,34,dc,00,c7,52,3e,07,60,ed,d0,f6,b0,08,cd,9f,4f,3f,02,d3,27,2c,83,
89,32,af,02,fa,ee,95,b7,dc,4e,29,f2,3d,82,73,3e,da,3f,56,29,c6,d6,a8,67,0c,\
"??"=hex:5a,87,43,36,1b,a4,0d,b1,5c,07,ac,c0,ad,d7,37,6a

[HKEY_USERS\S-1-5-21-1993962763-879983540-1606980848-1003\Software\SecuROM\License information*]
"datasecu"=hex:a3,74,43,13,72,4b,a5,72,8f,8b,d4,2b,a7,17,b1,c3,a1,c1,cd,68,da,
bf,6d,cf,fa,8b,0d,85,15,4d,bc,c7,c9,bf,e4,81,16,7c,0e,e8,d3,66,1a,fc,64,2b,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\xfire_lsp_10650.dll

- - - - - - - > 'explorer.exe'(552)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\MsPMSPSv.exe
c:\kahdah\CF27124.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\kahdah\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 22:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 05:59

Pre-Run: 94,878,535,680 bytes free
Post-Run: 102,184,284,160 bytes free

- - End Of File - - 320C7E206857A5C18A940DCCD5B03699

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:56 AM

Posted 25 October 2009 - 06:24 AM

Please uninstall any 2 of the 3 antivirus programs you have installed.
Keep the one you plan on keeping updated.
AVG Anti-Virus
ESET NOD32 Antivirus 3.0
Norton 360 Premier Edition


Keep only one.

This has to be done first.
=============
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
ASKUpgrade

File::
c:\documents and settings\Windows XP\Application Data\ejonyl.bin
c:\documents and settings\Windows XP\Local Settings\Application Data\ezokilu.pif
c:\documents and settings\Windows XP\Local Settings\Application Data\wirom.exe
c:\documents and settings\Windows XP\Application Data\ecaf.scr
c:\windows\system32\owokyhuqy.pif
c:\program files\Common Files\jivak.dat

Folder::
c:\documents and settings\Windows XP\Application Data\Search Settings
c:\documents and settings\Windows XP\Application Data\Dealio
c:\program files\AskBarDis


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Crazy_mofo213

Crazy_mofo213
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 25 October 2009 - 08:27 PM

I ran combofix and here's the log:

ComboFix 09-10-25.01 - Windows XP 10/25/2009 16:38:06.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.627 [GMT -7:00]
Running from: C:\Documents and Settings\Windows XP\Desktop\kahdah.exe
Command switches used :: C:\Documents and Settings\Windows XP\Desktop\CFScript.txt
AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\Windows XP\Application Data\ecaf.scr"
"c:\documents and settings\Windows XP\Application Data\ejonyl.bin"
"c:\documents and settings\Windows XP\Local Settings\Application Data\ezokilu.pif"
"c:\documents and settings\Windows XP\Local Settings\Application Data\wirom.exe"
"c:\program files\Common Files\jivak.dat"
"c:\windows\system32\owokyhuqy.pif"
.





And here's the log from the ESET scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=b64eddd4d4375d4ba9d27cb497397334
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-26 01:23:45
# local_time=2009-10-25 06:23:45 (-0700, US Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 4157540 4157540 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=135242
# found=15
# cleaned=15
# scan_time=3055
C:\Qoobox\Quarantine\C\WINDOWS\system32\auwpmcsg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\hidjhyhh.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\HRtsDfhk.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\HRtsDfhk.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\jihkknpo.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\jihkknpo.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\siwxjjsb.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapi.nfo.vir Win32/Oficla.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\tcmahain.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\VyIilnnn.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\VyIilnnn.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTM\MovedFiles\09062009_225020\Program Files\Windows Police Pro\windows Police Pro.exe a variant of Win32/Adware.WindowsAntivirusPro.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTM\MovedFiles\09062009_225020\Program Files\Windows Police Pro\tmp\wispex.html Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTM\MovedFiles\09062009_225020\windows\svchasts.exe Win32/Adware.WindowsAntivirusPro application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Windows XP\Application Data\Dealio
c:\documents and settings\Windows XP\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Windows XP\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Windows XP\Application Data\ecaf.scr
c:\documents and settings\Windows XP\Application Data\ejonyl.bin
c:\documents and settings\Windows XP\Application Data\Search Settings
c:\documents and settings\Windows XP\Application Data\Search Settings\kb128\temp\ws-14540.log
c:\documents and settings\Windows XP\Local Settings\Application Data\ezokilu.pif
c:\documents and settings\Windows XP\Local Settings\Application Data\wirom.exe
c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\AskSplash.exe
c:\program files\AskBarDis\bar\bin\AskTBApp.exe
c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Settings\AskLogo.ico
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\program files\Common Files\jivak.dat
c:\windows\system32\owokyhuqy.pif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKUPGRADE
-------\Service_ASKUpgrade


((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 22:58:27 . 2009-10-25 23:00:42 0 d-----w- C:\kahdah
2009-10-24 16:23:59 . 2009-10-24 16:23:59 0 d-----w- C:\Program Files\Spyware Doctor
2009-10-24 16:23:59 . 2009-10-24 16:23:59 0 d-----w- C:\Documents and Settings\Windows XP\Application Data\PC Tools
2009-10-21 02:21:25 . 2009-10-25 22:27:24 0 d-----w- C:\Documents and Settings\All Users\Application Data\avg9
2009-10-21 00:54:39 . 2009-10-21 00:54:39 0 d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
2009-10-21 00:52:12 . 2009-09-23 12:55:23 64288 ----a-w- C:\windows\system32\drivers\Lbd.sys
2009-10-21 00:50:24 . 2009-10-21 00:50:26 0 dc-h--w- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-21 00:50:03 . 2009-10-21 00:50:03 0 d-----w- C:\Program Files\Lavasoft
2009-10-21 00:50:02 . 2009-10-21 00:52:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-10-20 04:01:40 . 2009-10-20 04:01:40 0 d-----w- C:\Documents and Settings\Windows XP\Local Settings\Application Data\Threat Expert
2009-10-18 04:14:36 . 2009-10-18 04:14:36 0 d-----w- C:\Program Files\VALVe
2009-10-17 00:09:20 . 2009-10-17 00:09:31 291328 ----a-w- C:\cmjb6k4l.exe
2009-10-06 14:24:42 . 2009-10-06 14:24:42 0 d-----w- C:\Sega
2009-09-27 23:50:35 . 2009-10-18 23:12:51 0 d-----w- C:\Program Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 22:31:00 . 2008-08-25 03:14:36 0 d-----w- C:\Program Files\lx_cats
2009-10-25 20:57:36 . 2002-01-04 04:26:32 0 d--h--w- C:\Program Files\InstallShield Installation Information
2009-10-25 20:57:32 . 2009-04-09 03:42:32 0 d-----w- C:\Program Files\Duke Nukem - Manhattan Project
2009-10-25 05:11:17 . 2009-04-05 17:39:28 0 d-----w- C:\Documents and Settings\All Users\Application Data\Symantec
2009-10-25 05:11:17 . 2009-04-05 17:38:35 0 d-----w- C:\Program Files\Common Files\Symantec Shared
2009-10-24 16:23:59 . 2009-09-07 17:52:57 0 d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-10-24 16:20:35 . 2008-11-02 20:45:50 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-10-21 02:21:26 . 2009-09-10 01:57:57 0 d-----w- C:\Program Files\AVG
2009-10-21 01:06:55 . 2008-07-02 23:26:58 0 d-----w- C:\Program Files\Google
2009-10-21 00:55:54 . 2002-01-04 03:49:20 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-21 00:35:13 . 2002-01-04 03:49:20 0 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-10-21 00:33:40 . 2009-09-23 15:55:11 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-20 23:13:49 . 2009-05-06 00:56:38 0 d-----w- C:\Program Files\Acoustica Mixcraft 4
2009-10-18 23:16:53 . 2009-06-13 06:21:55 0 d-----w- C:\Program Files\Counter-Strike 1.6 V40
2009-10-03 15:29:49 . 2009-09-06 05:26:38 0 d-----w- C:\Program Files\RegCure
2009-09-23 15:55:12 . 2009-09-23 15:55:12 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-09-20 00:29:01 . 2009-09-20 00:29:01 0 d-----w- C:\Program Files\Ubisoft
2009-09-18 12:10:34 . 2009-09-18 12:10:34 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-09-16 21:35:24 . 2009-08-22 06:14:24 25 ----a-w- C:\windows\popcinfot.dat
2009-09-16 21:35:24 . 2009-08-22 03:03:11 0 d-----w- C:\Program Files\Plants Vs Zombies
2009-09-13 20:37:57 . 2002-01-03 10:31:44 92384 ----a-w- C:\Documents and Settings\Windows XP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 23:42:36 . 2009-09-10 23:42:36 0 d-----w- C:\Documents and Settings\All Users\Application Data\HP
2009-09-10 21:54:06 . 2009-09-23 15:55:15 38224 ----a-w- C:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 . 2009-09-23 15:55:12 19160 ----a-w- C:\windows\system32\drivers\mbam.sys
2009-09-10 02:36:16 . 2009-03-14 04:01:29 0 d-----w- C:\Program Files\Activision
2009-09-10 02:33:45 . 2008-07-05 05:46:54 0 d-----w- C:\Documents and Settings\Windows XP\Application Data\Lavasoft
2009-09-10 02:30:27 . 2009-09-06 07:04:49 0 d-----w- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-09-10 01:21:23 . 2009-09-10 01:21:23 0 d-----w- C:\Documents and Settings\All Users\Application Data\Gtek
2009-09-10 01:21:04 . 2009-09-10 01:21:04 0 d-----w- C:\Documents and Settings\All Users\Application Data\ESET
2009-09-09 04:46:23 . 2008-08-08 13:25:34 256 ----a-w- C:\windows\system32\pool.bin
2009-09-09 03:18:13 . 2009-09-09 02:54:38 0 d-----w- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-07 20:44:37 . 2009-08-14 00:18:08 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-09-06 21:40:31 . 2009-09-06 21:40:31 0 d-----w- C:\Program Files\Trend Micro
2009-09-06 07:05:41 . 2009-09-06 07:05:41 0 d-----w- C:\Documents and Settings\All Users\Application Data\SITEguard
2009-09-06 07:04:50 . 2009-09-06 07:04:50 0 d-----w- C:\Program Files\Common Files\iS3
2009-09-06 04:49:19 . 2009-09-06 04:47:34 0 d-----w- C:\Program Files\SpyNoMore
2009-09-06 04:47:48 . 2009-09-06 04:47:48 1152 ----a-w- C:\windows\system32\windrv.sys
2009-09-06 04:47:27 . 2009-08-14 00:05:09 0 d-----w- C:\Documents and Settings\Windows XP\Application Data\GetRightToGo
2009-09-06 03:48:33 . 2009-03-01 23:47:31 0 d-----w- C:\Program Files\SUPERAntiSpyware
2009-09-06 03:39:18 . 2009-09-06 03:39:18 687104 ----a-w- C:\windows\is-ENRAR.exe
2009-09-06 00:27:53 . 2009-09-06 00:27:53 0 d-----w- C:\Program Files\Sega
2009-09-02 00:49:45 . 2009-09-02 00:49:45 0 d-----w- C:\Program Files\Common Files\NSV
2009-08-30 04:25:03 . 2009-08-16 02:49:16 255 ----a-w- C:\windows\PowerReg.dat
2009-08-30 04:24:31 . 2009-08-30 04:24:31 0 d-----w- C:\Program Files\Hasbro Interactive
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT1654.tmp
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT1653.tmp
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT1652.tmp
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT1651.tmp
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT1650.tmp
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT164F.tmp
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT164E.tmp
2009-08-30 04:24:30 . 2009-08-30 04:24:30 0 ----a-w- C:\windows\DXT164D.tmp
2009-08-23 00:21:26 . 2009-08-23 00:13:23 12265 ----a-w- C:\windows\scunin.dat
2009-08-23 00:13:22 . 2009-08-23 00:13:22 967 ----a-w- C:\windows\ScUnin.pif
2009-08-23 00:13:22 . 2009-08-23 00:13:22 68096 ----a-w- C:\windows\ScUnin.exe
2009-08-17 01:43:24 . 2008-12-31 23:23:55 1014 ----a-w- C:\windows\eReg.dat
2009-08-16 02:49:39 . 2009-08-16 02:43:30 905 ----a-w- C:\Program Files\uninstal.log
2009-08-05 09:01:48 . 2008-04-14 12:42:02 204800 ----a-w- C:\windows\system32\mswebdvd.dll
2009-05-31 20:49:17 . 2009-05-31 20:49:16 25 ----a-w- C:\Program Files\popcinfot.dat
2006-12-13 03:12:30 . 2002-01-04 04:25:06 66648 ----a-w- C:\Program Files\mozilla firefox\components\jar50.dll
2006-12-13 03:12:31 . 2002-01-04 04:25:06 54352 ----a-w- C:\Program Files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12:32 . 2002-01-04 04:25:06 34928 ----a-w- C:\Program Files\mozilla firefox\components\myspell.dll
2006-12-13 03:12:33 . 2002-01-04 04:25:06 46696 ----a-w- C:\Program Files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12:34 . 2002-01-04 04:25:06 172120 ----a-w- C:\Program Files\mozilla firefox\components\xpinstal.dll
2008-09-07 05:01:39 . 2008-09-07 04:38:27 56 --sh--r- C:\windows\system32\41E010771D.sys
2008-09-07 05:01:40 . 2008-09-07 04:38:25 848 --sha-w- C:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_05.52.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 23:46:32 . 2009-10-25 23:46:32 16384 C:\windows\temp\Perflib_Perfdata_71c.dat
+ 2004-08-07 00:17:39 . 2009-10-25 05:54:17 62344 C:\windows\system32\perfc009.dat
- 2004-08-07 00:17:39 . 2009-10-25 05:37:43 62344 C:\windows\system32\perfc009.dat
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 23040 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 23040 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 61440 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 61440 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 27136 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 27136 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 11264 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 11264 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 86016 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 86016 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 12288 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 12288 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 4096 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 4096 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-07 00:17:40 . 2009-10-25 05:37:43 401064 C:\windows\system32\perfh009.dat
+ 2004-08-07 00:17:40 . 2009-10-25 05:54:17 401064 C:\windows\system32\perfh009.dat
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 409600 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 409600 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 286720 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 286720 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 249856 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 249856 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 794624 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 794624 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 135168 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 135168 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2002-01-04 04:29:18 . 2009-10-25 19:06:08 593920 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2002-01-04 04:29:18 . 2002-01-04 04:29:18 593920 C:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 01:16:42 454784]
"L07AXLRD_59744406"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" [2006-06-10 09:10:58 351000]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 12:11:12 490952]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 12:42:30 1695232]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 22:31:16 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 18:50:42 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-04-01 20:33:24 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-04-01 20:33:22 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-04-01 20:33:24 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 07:08:54 49152]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 17:34:56 291504]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-10-04 08:00:00 28672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-05-27 00:18:30 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 05:01:32 177472]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-11-15 11:02:26 1212368]
"LXCYCATS"="C:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 20:27:06 106496]
"WINDVDPatch"="CTHELPER.EXE" - C:\WINDOWS\system32\CTHELPER.EXE [2002-02-08 01:01:24 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - C:\WINDOWS\system32\advpack.dll [2009-03-08 11:32:48 128512]

C:\Documents and Settings\Windows XP\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-1-21 118784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 16:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 14:21:57 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\windows\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NOD32FiXTemDono"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\WINDOWS\\system32\\lxcycoms.exe"=
"C:\\Sierra\\Half-Life\\hl.exe"=
"C:\\Program Files\\UnrealTournament\\System\\UnrealTournament.exe"=
"C:\\Sierra\\Half-Life\\hltv.exe"=
"C:\\Sierra\\Half-Life\\hlds.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [10/20/2009 5:52:12 PM 64288]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43:28 AM 9968]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43:28 AM 74480]
R2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe -service --> C:\WINDOWS\system32\lxcycoms.exe -service [?]
S0 TfFsMon;TfFsMon;C:\windows\system32\drivers\TfFsMon.sys --> C:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;C:\windows\system32\drivers\TfSysMon.sys --> C:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate1ca51e87f4c1cbc;Google Update Service (gupdate1ca51e87f4c1cbc);C:\Program Files\Google\Update\GoogleUpdate.exe [10/20/2009 5:50:33 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 4:17:32 AM 1169232]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43:30 AM 7408]
S3 TfNetMon;TfNetMon;\??\C:\windows\system32\drivers\TfNetMon.sys --> C:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}]
C:\Documents and Settings\Windows XP\Desktop\Youtube.exe Restart
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 C:\windows\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:06:13 . 2009-10-01 13:06:13]

2009-10-06 C:\windows\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34:12 . 2008-07-30 19:34:12]

2009-10-25 C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-10-21 00:50:33 . 2009-10-21 00:50:27]

2009-10-25 C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-10-21 00:50:33 . 2009-10-21 00:50:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
LSP: xfire_lsp_10650.dll
Trusted Zone: aol.com\free
Trusted Zone: nintendo.com\club
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - C:\Documents and Settings\Windows XP\Application Data\Mozilla\Firefox\Profiles\f0buqek6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2031308&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - DigitalPowered Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2031308&q=
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Ask Toolbar_is1 - C:\Program Files\AskBarDis\unins000.exe





And The Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3034
Windows 5.1.2600 Service Pack 3

10/25/2009 9:16:42 PM
mbam-log-2009-10-25 (21-16-42).txt

Scan type: Quick Scan
Objects scanned: 100919
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{aaaaaaaa-iwe2-r26d-0i80-xp2v372a0343} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Windows XP\Desktop\avenger.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Prefetch\TEATIMER.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Windows XP\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Windows XP\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Windows XP\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by Crazy_mofo213, 26 October 2009 - 12:05 AM.


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:56 AM

Posted 26 October 2009 - 06:22 AM

This is a false positive:
C:\Documents and Settings\Windows XP\Desktop\avenger.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
But we won't need avenger anymore.

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Crazy_mofo213

Crazy_mofo213
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 26 October 2009 - 09:16 PM

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/3/2002 3:25:43 AM
System Uptime: 10/26/2009 4:05:50 PM (2 hours ago)

Motherboard: Lite-On Tech. | | 08FCh
Processor: Intel® Pentium® 4 CPU 2.80GHz | mPGA478 | 2800/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 234 GiB total, 112.999 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is CDROM ()
H: is CDROM ()
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/25/2009 3:47:39 PM - System Checkpoint
RP2: 10/26/2009 6:03:07 PM - System Checkpoint
RP3: 10/26/2009 6:26:09 PM - Installed AVG 9.0
RP4: 10/26/2009 6:30:11 PM - Installed AVG 9.0

==== Installed Programs ======================

3D Groove Playback Engine
3Planesoft Screensaver Manager 1.1
7-Zip 4.57
Acoustica Mixcraft 4.5
Action Replay Code Manager
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.5
Adobe Shockwave Player 11
AGEIA PhysX v7.11.13
AMX Mod X Installer 1.8.1
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.3.7 (Unicode)
Battlefield 1942
BlackBerry Desktop Software 4.2.2
Bonjour
BufferChm
Call of Duty
CameraDrivers
CameraUserGuides
Condition Zero
Counter-Strike 1.6 V40
Critical Update for Windows Media Player 11 (KB959772)
Dealio Toolbar v4.0.1
Delta Force - Black Hawk Down
Destinations
DeviceManagementQFolder
DigitalPowered Toolbar
Download Direct
Dragon's Lair 3D
Drivers Install For Linksys Easylink Advisor
ESET Online Scanner v3
eSupportQFolder
Far Cry (Patch 1.4)
Final Fantasy VII
Final Fantasy VII - Ultima Edition
Free Audio Converter version 1.1
GameSpy Arcade
Google Chrome
Google Update Helper
GTA: San Andreas RIP PT-BR by TemDono - #GTABrasil - BrasNET
Half-Life
Half-Life: Opposing Force
Halo 2 for Windows Vista
Hotbar
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 6.0
HP Photosmart Cameras 6.0
HP Photosmart Essential
HP Software Update
HP Solution Center and Imaging Support Tools 6.0
hpiCamDrvQFolder
HPProductAssistant
Intel® Extreme Graphics 2 Driver
Intel® Network Connections 14.0.40.0
iTunes
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 11
Java™ 6 Update 3
K-Lite Codec Pack 4.8.5 (Standard)
KGB Archiver 1.2.1.24
Learning Essentials for Microsoft Office
Lexmark 3400 Series
Lexmark Toolbar
Linksys EasyLink Advisor 1.6 (0032)
LIVE gaming on Windows Runtime Version 1.0.6027
Malwarebytes' Anti-Malware
Mario Forever Galaxy
Metal Gear Solid
Metal Slug Anthology
Metal Slug Series with Enabled MAME 0.78
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Math
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Student 2007 for Learning Essentials
Microsoft Student with Encarta Premium 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Mozilla Firefox (2.0.0.1)
MSN Toolbar
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
Nero 6 Ultra Edition
Norton 360
NVIDIA Drivers
OpenAL
Pando Media Booster
Plants Vs Zombies
PowerDVD
Project64 1.6
PunkBuster Services
QuickTime
Rainlendar (remove only)
Realtek High Definition Audio Driver
Return to Castle Wolfenstein
Roxio Media Manager
Safari
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shockwave
ShopperReports
SolutionCenter
SONIC HEROES
Sound Blaster Live!
SpeechRedist
Spybot - Search & Destroy
SpyNoMore 2.67
Star Wars JK II Jedi Outcast
Starcraft
Status
Super Mario Bros. Screensaver
SUPERAntiSpyware Free Edition
System Requirements Lab
TrayApp
TrueMotion Compression Toolkit
Uninstall 1.0.0.1
Unload
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Water Clock 3D Screensaver 1.0
WebFldrs XP
WebReg
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WONswap
Xfire (remove only)
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
YouTube Downloader 2.5.3

==== Event Viewer Messages From Past Week ========

10/26/2009 6:01:48 AM, error: Print [6161] - The document Microsoft Word - Document1 owned by Windows XP failed to print on printer Lexmark 3400 Series. Data type: LEMF. Size of the spool file in bytes: 114413. Number of bytes printed: 114413. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\USER-C930C050F7. Win32 error code returned by the print processor: 0 (0x0).
10/24/2009 12:59:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde TfFsMon TfSysMon
10/24/2009 10:33:42 PM, error: SRService [104] - The System Restore initialization process failed.
10/24/2009 10:33:42 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
10/24/2009 10:17:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/24/2009 10:14:19 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 7:16:10 AM, error: Service Control Manager [7034] - The ThreatFire service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 6:59:33 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: Access is denied.
10/20/2009 6:59:28 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/20/2009 6:18:24 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 6:18:23 AM, error: Service Control Manager [7031] - The Eset Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
10/20/2009 6:18:22 AM, error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 6:18:22 AM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 6:18:22 AM, error: Service Control Manager [7034] - The lxcy_device service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 6:18:22 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 6:10:02 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TfSysMon
10/20/2009 6:09:30 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Eset Nod32 Boot service to connect.
10/20/2009 6:09:30 AM, error: Service Control Manager [7000] - The Eset Nod32 Boot service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/20/2009 6:09:30 AM, error: Service Control Manager [7000] - The Alerter service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
10/20/2009 5:58:29 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/20/2009 5:52:17 PM, error: Service Control Manager [7000] - The Lbd service failed to start due to the following error: The parameter is incorrect.
10/20/2009 5:12:18 PM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
10/20/2009 5:07:02 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
10/20/2009 5:06:40 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 5:06:33 PM, error: Service Control Manager [7034] - The PC Tools Auxiliary Service service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 4:50:01 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/20/2009 4:50:01 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/20/2009 4:29:04 AM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 4:09:35 PM, error: Service Control Manager [7034] - The WMDM PMSP Service service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 3:53:57 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the sdCoreService service.
10/20/2009 3:29:16 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 3:28:40 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 3:22:34 PM, error: Service Control Manager [7034] - The Browser Defender Update Service service terminated unexpectedly. It has done this 1 time(s).
10/20/2009 3:19:07 PM, error: Service Control Manager [7000] - The ThreatFire service failed to start due to the following error: Access is denied.
10/20/2009 3:06:31 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952443
10/20/2009 3:06:30 PM, error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
10/20/2009 3:06:30 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The requested protocol has not been configured into the system, or no implementation for it exists.
10/19/2009 9:44:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
10/19/2009 9:44:55 PM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/19/2009 9:22:52 PM, error: Service Control Manager [7034] - The Roxio Hard Drive Watcher 9 service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


DDS.txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by Windows XP at 18:32:50.87 on Mon 10/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.492 [GMT -7:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\windows\system32\WgaTray.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\windows\system32\CTHELPER.EXE
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\windows\system32\devldr32.exe
C:\Program Files\Hotbar\bin\11.0.78.0\Weather.exe
C:\windows\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Windows XP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\2007\ENCWCBAR.DLL
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [L07AXLRD_59744406] "c:\program files\microsoft student\microsoft student with encarta premium 2007 dvd\EDICT.EXE" -m
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [Jet Detection] c:\program files\creative\sblive\program\ADGJDet.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\window~1\startm~1\programs\startup\rainle~1.lnk - c:\program files\rainlendar\Rainlendar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\shoppingreport\bin\2.6.58\ShoppingReport.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\shoppingreport\bin\2.6.58\ShoppingReport.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: xfire_lsp_10650.dll
Trusted Zone: aol.com\free
Trusted Zone: nintendo.com\club
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\window~1\applic~1\mozilla\firefox\profiles\f0buqek6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2031308&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - DigitalPowered Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2031308&q=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-20 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 74480]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate1ca51e87f4c1cbc;Google Update Service (gupdate1ca51e87f4c1cbc);c:\program files\google\update\GoogleUpdate.exe [2009-10-20 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1169232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2009-10-27 01:10:04 0 d-----w- c:\docume~1\window~1\applic~1\AVG8
2009-10-26 23:34:24 0 d-----w- c:\docume~1\alluse~1\applic~1\HotbarSA
2009-10-26 23:34:24 0 d-----w- c:\docume~1\alluse~1\applic~1\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2009-10-26 23:34:23 0 d-----w- c:\docume~1\window~1\applic~1\WeatherDPA
2009-10-26 23:34:21 0 d-----w- c:\program files\Hotbar
2009-10-26 23:34:21 0 d-----w- c:\docume~1\window~1\applic~1\Hotbar
2009-10-26 23:34:17 0 d-----w- c:\docume~1\window~1\applic~1\ShoppingReport
2009-10-26 23:34:16 0 d-----w- c:\program files\ShoppingReport
2009-10-26 00:30:43 0 d-----w- c:\program files\ESET
2009-10-25 23:54:38 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-10-25 23:01:20 77312 ----a-w- c:\windows\MBR.exe
2009-10-25 23:01:14 0 d-----w- C:\kahdah13915k
2009-10-25 22:58:27 0 d-----w- C:\kahdah
2009-10-25 05:13:47 98816 ----a-w- c:\windows\sed.exe
2009-10-25 05:13:47 236544 ----a-w- c:\windows\PEV.exe
2009-10-25 05:13:47 161792 ----a-w- c:\windows\SWREG.exe
2009-10-24 16:23:59 0 d-----w- c:\program files\Spyware Doctor
2009-10-24 16:23:59 0 d-----w- c:\docume~1\window~1\applic~1\PC Tools
2009-10-21 02:21:25 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-21 00:52:12 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-21 00:50:24 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-21 00:50:03 0 d-----w- c:\program files\Lavasoft
2009-10-18 04:14:36 0 d-----w- c:\program files\VALVe
2009-10-17 00:09:20 291328 ----a-w- C:\cmjb6k4l.exe
2009-10-06 14:24:42 0 d-----w- C:\Sega
2009-09-27 23:50:35 0 d-----w- c:\program files\Steam

==================== Find3M ====================

2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 03:39:18 687104 ----a-w- c:\windows\is-ENRAR.exe
2009-08-23 00:21:26 12265 ----a-w- c:\windows\scunin.dat
2009-08-23 00:13:22 68096 ----a-w- c:\windows\ScUnin.exe
2009-08-16 02:49:39 905 ----a-w- c:\program files\uninstal.log
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-05-31 20:49:17 25 ----a-w- c:\program files\popcinfot.dat
2008-09-07 05:01:39 56 --sh--r- c:\windows\system32\41E010771D.sys
2008-09-07 05:01:40 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:33:16.90 ===============

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:56 AM

Posted 27 October 2009 - 07:14 AM

Please uninstall these programs below:
Ask Toolbar
Dealio Toolbar v4.0.1
ESET Online Scanner v3
GameSpy Arcade
Hotbar
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 11
Java™ 6 Update 3
ShopperReports


=================
=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
======Next======
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
======================Clear out infected System Restore points======================


Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set. :(


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users