Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Help Removing A Problematic Infection


  • This topic is locked This topic is locked
41 replies to this topic

#1 HERCULES1X

HERCULES1X

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 20 October 2009 - 02:46 PM

Hello

I am having a terrible time trying to rid my computer of an infection that seizes my browsers, runs my memory down to zero, causes my browsers to crash often, makes my harddrive run like crazy even if I am not doing anything etc etc. When the infection first occured I kept getting this pop up that said I must by ANTISPYWARE 2010 to clean my system because my computer is infected. I then noticed that the infection had turned off my AVG antivirus program. Then came a rash of other pop ups and computer malfunctions. I tried running various malware/virus programs to clean my system, but nothing worked becasue the programs would shut down before they could initialize or finish the clean up. I tried Malwarebytes, Spybot, A2antispyware, Kaspersky etc etc and nothing worked. I tried Spyware Doctor and it detected the rootkits and variuis other malware and cleaned them out...or so I thought. I had the names of the rootkits and malwares, but when Spyware doctor cleaned them out I discarded them thinking everything was fine....IT WASN'T.

THe infections and abnormalties returned with a vengence. Successive runs of Spyware Doctor now detects nothing, but I still have all of the problems mentioned above. Below is the RootRepeal Scans and PeekBat scans I did for another technician on this board...CAn you help me identify and remove this/these infections???

P.S. The technician asked that I run a DDS scan..unfortunately that scan was terminated by the virus when I tried to run it. I tried successive runs hoping somehow it would complete before terminating, but it was not possible.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/16 17:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF677A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D95000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7EF1000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF620A000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7AC7000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7937000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf7719d72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf76fa9a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf76fab98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf771a568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf771a820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf7718a80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf771ac8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf771a036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf76fa656

==EOF==



PeekBat Scan

Volume in drive C has no label.
Volume Serial Number is 50EE-C513

Directory of C:\WINDOWS\system32

04/13/2008 11:00 PM 60,928 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 11:00 PM 56,320 eventlog.dll
2 File(s) 117,248 bytes

Total Files Listed:
2 File(s) 117,248 bytes
0 Dir(s) 74,066,497,536 bytes free

Edited by HERCULES1X, 20 October 2009 - 06:11 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 20 October 2009 - 07:04 PM

Hi, HERCULES1X :(

Welcome.

Please follow these steps:

Step 1

Please save this file to your desktop.

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 HERCULES1X

HERCULES1X
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 21 October 2009 - 12:11 PM

Hello JSntgRvr


Here is the result of the WIN32DIAG scan

Running from: C:\Documents and Settings\Admin\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Admin\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\scecli.dll

Attempting to restore permissions of : C:\WINDOWS\system32\scecli.dll

[1] 2008-04-13 23:00:00 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 23:00:00 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe



Finished!




Here is the result of the COMBOFIX scan. BTW Program tried downloading RECOVERY CONSOLE, but I got a message it FAILED when trying to do so

ComboFix 09-10-20.03 - Admin 10/21/2009 12:45.1.1 - NTFSx86
Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exe
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\Desktopicon
c:\documents and settings\Admin\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\Admin\Application Data\FunWebProducts
c:\documents and settings\Admin\Application Data\FunWebProducts\Data\Admin\avatar.dat
c:\documents and settings\Admin\Application Data\FunWebProducts\Data\Admin\zbucks.dat
c:\documents and settings\Admin\Application Data\inst.exe
c:\documents and settings\Admin\Application Data\ovesyc.vbs
c:\documents and settings\Admin\Cookies\efusulyve._sy
c:\documents and settings\Admin\Cookies\lufywomur.dll
c:\documents and settings\Admin\Cookies\murowycofo.ban
c:\documents and settings\Admin\Cookies\rocycoxo.ban
c:\documents and settings\Admin\Local Settings\Application Data\citarafotu.bat
c:\documents and settings\All Users\Application Data\ejasy.reg
c:\documents and settings\All Users\Application Data\fekidecodo.reg
C:\p2hhr.bat
c:\program files\Common Files\alg.exe
c:\program files\Toolbar
c:\windows\aratosun.bat
c:\windows\epanymyhe._sy
c:\windows\Installer\119a6dc4.msi
c:\windows\Installer\17de3bb0.msi
c:\windows\Installer\420ebd.msi
c:\windows\Installer\df0bc.msi
c:\windows\odizokaqun.scr
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\Data
c:\windows\system32\drivers\SKYNETsfkftpap.sys.vir
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\vovikelapy._sy
c:\windows\wuloledu.reg
E:\Autorun.inf

c:\windows\system32\scecli.dll . . . is infected!!

c:\windows\system32\netlogon.dll . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-15 20:16 . 2006-08-30 11:10 158456 ------w- c:\windows\system32\pxwma.dll
2009-10-14 19:25 . 2009-10-14 19:42 -------- d-----w- C:\AudioConverter
2009-10-14 19:13 . 2009-10-14 19:13 -------- d-----w- c:\program files\easetech
2009-09-27 02:46 . 2009-03-16 18:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-09-27 02:45 . 2006-07-28 13:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2009-09-27 02:41 . 2009-09-27 02:41 -------- d-----w- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 16:40 . 2009-06-15 20:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-18 18:17 . 2009-06-11 05:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-18 03:54 . 2009-06-11 03:48 -------- d-----w- c:\program files\BitComet
2009-10-17 19:30 . 2009-07-10 15:16 -------- d-----w- c:\documents and settings\Admin\Application Data\dvdcss
2009-10-17 19:26 . 2009-06-11 05:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Vso
2009-10-16 21:11 . 2009-08-30 18:13 -------- d-----w- c:\program files\Spyware Doctor
2009-10-16 21:08 . 2009-08-08 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-15 20:32 . 2009-06-20 00:57 88968 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 20:12 . 2009-06-11 05:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-13 03:55 . 2009-07-22 03:19 -------- d-----w- c:\documents and settings\Admin\Application Data\LimeWire
2009-09-27 02:51 . 2009-08-30 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-10 23:37 . 2009-06-18 05:39 -------- d-----w- c:\documents and settings\Admin\Application Data\ContentGuard
2009-09-10 22:47 . 2009-09-10 22:46 -------- d-----w- c:\program files\Trojan Remover
2009-09-10 22:46 . 2009-09-10 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-09-10 22:46 . 2009-09-10 22:46 -------- d-----w- c:\documents and settings\Admin\Application Data\Simply Super Software
2009-09-08 17:07 . 2009-09-07 22:39 -------- d-----w- c:\program files\DivX
2009-09-07 03:21 . 2009-09-07 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Martau
2009-09-07 03:19 . 2009-09-07 03:18 -------- d-----w- c:\program files\Total Uninstall 4
2009-09-04 21:44 . 2009-09-27 02:47 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 21:44 . 2009-09-27 02:47 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 21:44 . 2009-09-27 02:47 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:29 . 2009-09-27 02:47 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 06:12 . 2009-08-30 18:14 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 06:12 . 2009-09-04 06:12 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-03 05:36 . 2009-09-01 03:28 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-09-02 03:03 . 2009-06-14 01:07 58688 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-01 19:09 . 2009-09-01 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-09-01 19:09 . 2009-09-01 19:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-01 19:09 . 2009-09-01 19:09 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-09-01 19:09 . 2009-09-01 19:09 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-01 19:09 . 2009-09-01 19:09 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-01 19:09 . 2009-09-01 19:09 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-01 19:07 . 2009-09-01 19:07 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-09-01 19:07 . 2009-09-01 19:07 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-09-01 19:07 . 2009-09-01 19:07 -------- d-----w- c:\program files\AVG
2009-09-01 19:07 . 2009-09-01 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-01 18:43 . 2009-06-22 23:48 -------- d-----w- c:\program files\JetLinks
2009-09-01 04:26 . 2009-07-16 13:03 -------- d-----w- c:\program files\muvee Technologies
2009-08-31 02:13 . 2009-08-30 17:26 -------- d-----w- c:\program files\Common Files\G DATA
2009-08-31 02:13 . 2009-08-30 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\G DATA
2009-08-31 01:07 . 2009-08-31 01:01 -------- d-----w- c:\program files\RegCure
2009-08-30 21:39 . 2009-08-30 21:39 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-30 18:14 . 2009-08-30 18:14 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-30 18:13 . 2009-08-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-30 18:13 . 2009-08-30 18:13 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2009-08-30 17:28 . 2009-08-30 17:28 22272 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2009-08-30 17:28 . 2009-08-30 17:28 51016 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-08-30 04:25 . 2009-08-30 04:25 201312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-30 04:24 . 2009-08-30 04:24 -------- d-----w- c:\program files\MSBuild
2009-08-30 04:23 . 2009-08-30 04:23 -------- d-----w- c:\program files\Reference Assemblies
2009-08-30 03:26 . 2009-06-13 12:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-26 00:04 . 2009-08-06 17:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 00:04 . 2009-08-06 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 20:22 . 2009-08-25 17:06 -------- d-----w- c:\program files\MSECACHE
2009-08-25 07:23 . 2009-08-25 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-08-25 07:23 . 2009-08-25 04:53 -------- d-----w- c:\program files\IObit
2009-08-25 04:11 . 2009-08-25 04:11 -------- d-----w- c:\documents and settings\Admin\Application Data\IObit
2009-08-25 02:49 . 2009-08-25 02:49 -------- d-----w- c:\program files\Safari
2009-08-24 00:47 . 2009-07-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups
2009-08-16 19:45 . 2009-07-22 03:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-08 18:45 . 2009-08-08 18:45 17737 ----a-w- c:\windows\system32\texo.scr
2009-08-08 18:45 . 2009-08-08 18:45 17405 ----a-w- c:\windows\system32\qyky.dll
2009-08-08 18:45 . 2009-08-08 18:45 17120 ----a-w- c:\documents and settings\All Users\Application Data\ikilaku.dat
2009-08-08 18:45 . 2009-08-08 18:45 14299 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\qala.com
2009-08-08 18:45 . 2009-08-08 18:45 12276 ----a-w- c:\documents and settings\All Users\Application Data\segax.dll
2009-08-08 18:45 . 2009-08-08 18:45 12217 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\sake.com
2009-08-08 18:45 . 2009-08-08 18:45 19765 ----a-w- c:\program files\Common Files\secavogoxo._sy
2009-08-08 18:36 . 2009-08-08 18:36 7113 ----a-w- c:\windows\system32\cleartmp.cmd
2009-08-08 16:47 . 2009-08-08 16:47 96976 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-08 16:47 . 2009-08-08 16:47 87855 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-08 04:17 . 2009-08-08 04:17 19719 ----a-w- c:\program files\Common Files\dytux.sys
2009-08-08 04:17 . 2009-08-08 04:17 16708 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\mata.exe
2009-08-08 04:17 . 2009-08-08 04:17 16452 ----a-w- c:\documents and settings\Admin\Application Data\orarefo.com
2009-08-08 04:17 . 2009-08-08 04:17 14523 ----a-w- c:\program files\Common Files\buhaf.sys
2009-08-08 04:17 . 2009-08-08 04:17 13781 ----a-w- c:\windows\system32\iruworocav.com
2009-08-08 04:17 . 2009-08-08 04:17 12784 ----a-w- c:\windows\enaz.sys
2009-08-08 04:17 . 2009-08-08 04:17 12076 ----a-w- c:\windows\system32\ihupa.exe
2009-08-08 04:17 . 2009-08-08 04:17 11865 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\orumaxovez.sys
2009-08-08 04:17 . 2009-08-08 04:17 11780 ----a-w- c:\documents and settings\Admin\Application Data\ywacebeji.sys
2009-08-08 04:17 . 2009-08-08 04:17 11172 ----a-w- c:\documents and settings\Admin\Application Data\uhod.dat
2009-08-08 04:17 . 2009-08-08 04:17 10847 ----a-w- c:\program files\Common Files\uvymyjex._sy
2009-08-07 21:29 . 2009-08-07 21:29 0 ----a-w- C:\vkywt.exe
2009-06-11 04:48 . 2009-06-11 04:48 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-06-11 04:48 . 2009-06-11 04:48 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-06-11 04:48 . 2009-06-11 04:48 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-04-14 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys


[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

[-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-11-27 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-11-27 00:07 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP3QFE\kernel32.dll
[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP2GDR\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP3GDR\kernel32.dll
[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP2QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\system32\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2009-07-19 . 758C8BEDAB7CE5F9070C85E2E57CBD80 . 3597824 . . [7.00.6000.16890] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3GDR\mshtml.dll
[-] 2009-07-19 . F6098CC1B1C3858D53F20F3CB5774F3B . 3600384 . . [7.00.6000.21089] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3QFE\mshtml.dll
[-] 2008-11-25 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\system32\mshtml.dll

[-] 2008-11-27 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll


[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

[-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . FACEBB0CA3154F77009CDFEE78A00BBB . 2180480 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[-] 2008-11-27 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\system32\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\rpcss.dll
[-] 2009-02-09 . 01095FEBF33BEEA00C2A0730B9B3EC28 . 399360 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\system32\rpcss.dll

[-] 2008-04-14 03:00 . !HASH: COULD NOT OPEN FILE !!!!! . 60928 . . [------] . . c:\windows\system32\scecli.dll

[-] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\system32\services.exe

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2009-06-29 . 4C6B4138165A4C53FE8A5B1D809526C3 . 828928 . . [7.00.6000.21073] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3QFE\wininet.dll
[-] 2009-06-29 . A39B7BA7AB9B1CC2A0009F59772DB83C . 827392 . . [7.00.6000.16876] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3GDR\wininet.dll
[-] 2008-11-25 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\system32\wininet.dll

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[-] 2004-08-03 . 9A41E77AF64CA976E6F61B55401CBEBB . 1110528 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2008-04-14 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll

[-] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-14 13:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 03:00 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

[-] 2008-11-25 12:09 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[-] 2009-02-07 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 . 3006410E24772CC6953F0B5C01BEB35F . 2057728 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[-] 2008-11-27 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\system32\ntkrnlpa.exe

[-] 2008-04-14 03:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\netlogon.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2009-05-28 2707526]
"SansaDispatch"="c:\documents and settings\Admin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-07-10 79872]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2002-09-17 2181704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-21 2025752]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-09-04 1069960]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-11-25 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Qs Black Shine Blue.wsstyles [2008-5-19 210081]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-11 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-01 19:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Styler.lnk]
backup=c:\windows\pss\Styler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malware Scanner

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8545:TCP"= 8545:TCP:BitComet 8545 TCP
"8545:UDP"= 8545:UDP:BitComet 8545 UDP
"15389:TCP"= 15389:TCP:BitComet 15389 TCP
"15389:UDP"= 15389:UDP:BitComet 15389 UDP

R1 aswSP;avast! Self Protection; [x]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [x]
R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-01 29208]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
R3 G Data Tuner Service;G Data Tuner Service; [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-09-01 12552]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-04 206256]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-01 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-01 108552]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-01 297752]
S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-09-01 1370488]
S2 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys [2009-05-12 61328]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-01 29208]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226EE}

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2009-10-15 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZSfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ui0ll4hj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ui0ll4hj.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\inspector.dll
FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ui0ll4hj.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 12:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FirebirdServerMAGIXInstance]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\G Data Tuner Service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GearAspiWDM]
"ImagePath"="System32\drivers\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IKFileSec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IKSysFlt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LanmanServer]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nero BackItUp Scheduler 3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NMIndexingService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ossrv]
"ImagePath"="system32\DRIVERS\ctoss2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Outlook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\P17]
"ImagePath"="system32\drivers\P17.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pcouffin]
"ImagePath"="System32\Drivers\pcouffin.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCTCore]
"ImagePath"="system32\drivers\PCTCore.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PLFlash DeviceIoControl Service]
"ImagePath"="c:\windows\system32\IoctlSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdAuxService]
"ImagePath"="c:\program files\Spyware Doctor\pctsAuxs.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdCoreService]
"ImagePath"="c:\program files\Spyware Doctor\pctsSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SISNIC]
"ImagePath"="system32\DRIVERS\sisnic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{69FFAF9A-6BA4-47FA-8BA1-A9B33920E7D7}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\szkg5]
"ImagePath"="system32\drivers\szkg.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\szserver]
"ImagePath"="\"c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uagp35]
"ImagePath"="system32\DRIVERS\uagp35.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbohci]
"ImagePath"="system32\DRIVERS\usbohci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VXD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{2C86F669-7701-4C05-B7C7-5CF9C3163DF9}]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C30BA2D5-458E-E5B1-0746-94607E1C24A3}\InProcServer32*]
"oakjchaefhagcglhjmpdccmlkglnoj"=hex:69,61,6d,62,61,6f,6a,62,6f,68,63,6e,62,66,
62,6c,70,64,00,00
"nakjmfceeffeknmckdjjchgbdike"=hex:6b,61,6c,63,69,62,61,62,69,70,69,69,6f,64,
63,64,6b,63,6d,61,67,69,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3212)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\combo-fix\CF2103.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 12:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 16:58

Pre-Run: 79,461,605,376 bytes free
Post-Run: 81,260,228,608 bytes free

- - End Of File - - 804676CE50548C2875BD2194C64FCFA6

Edited by Orange Blossom, 25 October 2009 - 02:15 PM.
Remove unnecessary quote. ~ OB


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 21 October 2009 - 08:06 PM

Hi, HERCULES1X :(

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\WINDOWS\system32\sceclt.dll | C:\WINDOWS\system32\scecli.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Collect::
c:\windows\system32\texo.scr
c:\windows\system32\qyky.dll
c:\documents and settings\All Users\Application Data\ikilaku.dat
c:\documents and settings\Admin\Local Settings\Application Data\qala.com
c:\documents and settings\All Users\Application Data\segax.dll
c:\documents and settings\Admin\Local Settings\Application Data\sake.com
c:\program files\Common Files\secavogoxo._sy
c:\windows\system32\cleartmp.cmd
c:\windows\system32\drivers\klin.dat
c:\windows\system32\drivers\klick.dat
c:\program files\Common Files\dytux.sys
c:\documents and settings\Admin\Local Settings\Application Data\mata.exe
c:\documents and settings\Admin\Application Data\orarefo.com
c:\program files\Common Files\buhaf.sys
c:\windows\system32\iruworocav.com
c:\windows\enaz.sys
c:\windows\system32\ihupa.exe
c:\documents and settings\Admin\Local Settings\Application Data\orumaxovez.sys
c:\documents and settings\Admin\Application Data\ywacebeji.sys
c:\documents and settings\Admin\Application Data\uhod.dat
c:\program files\Common Files\uvymyjex._sy

File::
C:\vkywt.exe


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

===============================================================


Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

===============================================================


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    netlogon.dll
    ntelogon.dll
    beep.sys
    proquota.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 HERCULES1X

HERCULES1X
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 22 October 2009 - 11:21 AM

Hello JSntgRvr


HERE IS THE AVENGER TEXT

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Oct 22 11:26:44 2009

11:26:44: Error: Could not register cleanup.
Aborting execution! (error 0: the operation completed successfully.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\sceclt.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


HERE IS THE NEW COMBOFIX SCAN

ComboFix 09-10-20.03 - Admin 10/22/2009 11:49.2.1 - NTFSx86
Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point

FILE ::
"C:\vkywt.exe"

file zipped: c:\documents and settings\Admin\Application Data\orarefo.com
file zipped: c:\documents and settings\Admin\Application Data\uhod.dat
file zipped: c:\documents and settings\Admin\Application Data\ywacebeji.sys
file zipped: c:\documents and settings\Admin\Local Settings\Application Data\mata.exe
file zipped: c:\documents and settings\Admin\Local Settings\Application Data\orumaxovez.sys
file zipped: c:\documents and settings\Admin\Local Settings\Application Data\qala.com
file zipped: c:\documents and settings\Admin\Local Settings\Application Data\sake.com
file zipped: c:\documents and settings\All Users\Application Data\ikilaku.dat
file zipped: c:\documents and settings\All Users\Application Data\segax.dll
file zipped: c:\program files\Common Files\buhaf.sys
file zipped: c:\program files\Common Files\dytux.sys
file zipped: c:\program files\Common Files\secavogoxo._sy
file zipped: c:\program files\Common Files\uvymyjex._sy
file zipped: c:\windows\enaz.sys
file zipped: c:\windows\system32\cleartmp.cmd
file zipped: c:\windows\system32\drivers\klick.dat
file zipped: c:\windows\system32\drivers\klin.dat
file zipped: c:\windows\system32\ihupa.exe
file zipped: c:\windows\system32\iruworocav.com
file zipped: c:\windows\system32\qyky.dll
file zipped: c:\windows\system32\texo.scr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\orarefo.com
c:\documents and settings\Admin\Application Data\uhod.dat
c:\documents and settings\Admin\Application Data\ywacebeji.sys
c:\documents and settings\Admin\Local Settings\Application Data\mata.exe
c:\documents and settings\Admin\Local Settings\Application Data\orumaxovez.sys
c:\documents and settings\Admin\Local Settings\Application Data\qala.com
c:\documents and settings\Admin\Local Settings\Application Data\sake.com
c:\documents and settings\All Users\Application Data\ikilaku.dat
c:\documents and settings\All Users\Application Data\segax.dll
c:\program files\Common Files\buhaf.sys
c:\program files\Common Files\dytux.sys
c:\program files\Common Files\secavogoxo._sy
c:\program files\Common Files\uvymyjex._sy
C:\vkywt.exe
c:\windows\enaz.sys
c:\windows\system32\cleartmp.cmd
c:\windows\system32\drivers\klick.dat
c:\windows\system32\drivers\klin.dat
c:\windows\system32\ihupa.exe
c:\windows\system32\iruworocav.com
c:\windows\system32\qyky.dll
c:\windows\system32\texo.scr

c:\windows\system32\netlogon.dll . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-15 20:16 . 2006-08-30 11:10 158456 ------w- c:\windows\system32\pxwma.dll
2009-10-14 19:25 . 2009-10-14 19:42 -------- d-----w- C:\AudioConverter
2009-10-14 19:13 . 2009-10-14 19:13 -------- d-----w- c:\program files\easetech
2009-09-27 02:46 . 2009-03-16 18:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-09-27 02:45 . 2006-07-28 13:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2009-09-27 02:41 . 2009-09-27 02:41 -------- d-----w- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 15:45 . 2009-06-15 20:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-22 15:33 . 2009-08-30 18:13 -------- d-----w- c:\program files\Spyware Doctor
2009-10-22 15:13 . 2009-06-11 05:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Vso
2009-10-22 06:27 . 2009-06-11 05:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-18 03:54 . 2009-06-11 03:48 -------- d-----w- c:\program files\BitComet
2009-10-17 19:30 . 2009-07-10 15:16 -------- d-----w- c:\documents and settings\Admin\Application Data\dvdcss
2009-10-16 21:08 . 2009-08-08 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-15 20:32 . 2009-06-20 00:57 88968 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 20:12 . 2009-06-11 05:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-13 03:55 . 2009-07-22 03:19 -------- d-----w- c:\documents and settings\Admin\Application Data\LimeWire
2009-09-27 02:51 . 2009-08-30 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-10 23:37 . 2009-06-18 05:39 -------- d-----w- c:\documents and settings\Admin\Application Data\ContentGuard
2009-09-10 22:47 . 2009-09-10 22:46 -------- d-----w- c:\program files\Trojan Remover
2009-09-10 22:46 . 2009-09-10 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-09-10 22:46 . 2009-09-10 22:46 -------- d-----w- c:\documents and settings\Admin\Application Data\Simply Super Software
2009-09-08 17:07 . 2009-09-07 22:39 -------- d-----w- c:\program files\DivX
2009-09-07 03:21 . 2009-09-07 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Martau
2009-09-07 03:19 . 2009-09-07 03:18 -------- d-----w- c:\program files\Total Uninstall 4
2009-09-04 21:44 . 2009-09-27 02:47 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 21:44 . 2009-09-27 02:47 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 21:44 . 2009-09-27 02:47 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:29 . 2009-09-27 02:47 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29 . 2009-09-27 02:47 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 06:12 . 2009-08-30 18:14 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 06:12 . 2009-09-04 06:12 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-03 05:36 . 2009-09-01 03:28 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-09-02 03:03 . 2009-06-14 01:07 58688 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-01 19:09 . 2009-09-01 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-09-01 19:09 . 2009-09-01 19:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-01 19:09 . 2009-09-01 19:09 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-09-01 19:09 . 2009-09-01 19:09 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-01 19:09 . 2009-09-01 19:09 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-01 19:09 . 2009-09-01 19:09 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-01 19:07 . 2009-09-01 19:07 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-09-01 19:07 . 2009-09-01 19:07 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-09-01 19:07 . 2009-09-01 19:07 -------- d-----w- c:\program files\AVG
2009-09-01 19:07 . 2009-09-01 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-01 18:43 . 2009-06-22 23:48 -------- d-----w- c:\program files\JetLinks
2009-09-01 04:26 . 2009-07-16 13:03 -------- d-----w- c:\program files\muvee Technologies
2009-08-31 02:13 . 2009-08-30 17:26 -------- d-----w- c:\program files\Common Files\G DATA
2009-08-31 02:13 . 2009-08-30 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\G DATA
2009-08-31 01:07 . 2009-08-31 01:01 -------- d-----w- c:\program files\RegCure
2009-08-30 21:39 . 2009-08-30 21:39 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-30 18:14 . 2009-08-30 18:14 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-30 18:13 . 2009-08-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-30 18:13 . 2009-08-30 18:13 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2009-08-30 17:28 . 2009-08-30 17:28 22272 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2009-08-30 17:28 . 2009-08-30 17:28 51016 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-08-30 04:25 . 2009-08-30 04:25 201312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-30 04:24 . 2009-08-30 04:24 -------- d-----w- c:\program files\MSBuild
2009-08-30 04:23 . 2009-08-30 04:23 -------- d-----w- c:\program files\Reference Assemblies
2009-08-30 03:26 . 2009-06-13 12:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-26 00:04 . 2009-08-06 17:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 00:04 . 2009-08-06 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 20:22 . 2009-08-25 17:06 -------- d-----w- c:\program files\MSECACHE
2009-08-25 07:23 . 2009-08-25 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-08-25 07:23 . 2009-08-25 04:53 -------- d-----w- c:\program files\IObit
2009-08-25 04:11 . 2009-08-25 04:11 -------- d-----w- c:\documents and settings\Admin\Application Data\IObit
2009-08-25 02:49 . 2009-08-25 02:49 -------- d-----w- c:\program files\Safari
2009-08-24 00:47 . 2009-07-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups
2009-08-16 19:45 . 2009-07-22 03:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-11 04:48 . 2009-06-11 04:48 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-06-11 04:48 . 2009-06-11 04:48 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-06-11 04:48 . 2009-06-11 04:48 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-04-14 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys


[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

[-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-11-27 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-11-27 00:07 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP3QFE\kernel32.dll
[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP2GDR\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP3GDR\kernel32.dll
[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\SP2QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\system32\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2009-07-19 . 758C8BEDAB7CE5F9070C85E2E57CBD80 . 3597824 . . [7.00.6000.16890] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3GDR\mshtml.dll
[-] 2009-07-19 . F6098CC1B1C3858D53F20F3CB5774F3B . 3600384 . . [7.00.6000.21089] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3QFE\mshtml.dll
[-] 2008-11-25 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\system32\mshtml.dll

[-] 2008-11-27 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll


[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

[-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . FACEBB0CA3154F77009CDFEE78A00BBB . 2180480 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[-] 2008-11-27 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\system32\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\rpcss.dll
[-] 2009-02-09 . 01095FEBF33BEEA00C2A0730B9B3EC28 . 399360 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\system32\rpcss.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll

[-] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\system32\services.exe

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2009-06-29 . 4C6B4138165A4C53FE8A5B1D809526C3 . 828928 . . [7.00.6000.21073] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3QFE\wininet.dll
[-] 2009-06-29 . A39B7BA7AB9B1CC2A0009F59772DB83C . 827392 . . [7.00.6000.16876] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\SP3GDR\wininet.dll
[-] 2008-11-25 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\system32\wininet.dll

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[-] 2004-08-03 . 9A41E77AF64CA976E6F61B55401CBEBB . 1110528 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2008-04-14 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll

[-] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-14 13:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 03:00 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

[-] 2008-11-25 12:09 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[-] 2009-02-07 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 . 3006410E24772CC6953F0B5C01BEB35F . 2057728 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[-] 2008-11-27 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\system32\ntkrnlpa.exe

[-] 2008-04-14 03:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\netlogon.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2009-05-28 2707526]
"SansaDispatch"="c:\documents and settings\Admin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-07-10 79872]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2002-09-17 2181704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-21 2025752]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-09-04 1069960]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-11-25 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Qs Black Shine Blue.wsstyles [2008-5-19 210081]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-11 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-01 19:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Styler.lnk]
backup=c:\windows\pss\Styler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8545:TCP"= 8545:TCP:BitComet 8545 TCP
"8545:UDP"= 8545:UDP:BitComet 8545 UDP
"15389:TCP"= 15389:TCP:BitComet 15389 TCP
"15389:UDP"= 15389:UDP:BitComet 15389 UDP

R1 aswSP;avast! Self Protection; [x]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [x]
R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-01 29208]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
R3 G Data Tuner Service;G Data Tuner Service; [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-09-01 12552]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-04 206256]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-01 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-01 108552]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-01 297752]
S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-09-01 1370488]
S2 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys [2009-05-12 61328]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-01 29208]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2009-10-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZSfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ui0ll4hj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ui0ll4hj.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\inspector.dll
FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\ui0ll4hj.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 11:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C30BA2D5-458E-E5B1-0746-94607E1C24A3}\InProcServer32*]
"oakjchaefhagcglhjmpdccmlkglnoj"=hex:69,61,6d,62,61,6f,6a,62,6f,68,63,6e,62,66,
62,6c,70,64,00,00
"nakjmfceeffeknmckdjjchgbdike"=hex:6b,61,6c,63,69,62,61,62,69,70,69,69,6f,64,
63,64,6b,63,6d,61,67,69,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3036)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\combo-fix\CF14400.exe
c:\windows\system32\CTsvcCDA.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 12:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 16:02
ComboFix2.txt 2009-10-21 16:59

Pre-Run: 75,736,190,976 bytes free
Post-Run: 75,727,781,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 712BADEE97D7AB345BA783D1B260C211



HERE IS THE SYSTEM LOOK SCAN

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:08 on 22/10/2009 by Admin (Administrator - Elevation successful)

========== filefind ==========

Searching for "netlogon.dll"
No files found.

Searching for "ntelogon.dll"
C:\WINDOWS\system32\ntelogon.dll --a--- 407040 bytes [03:00 14/04/2008] [03:00 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "beep.sys"
No files found.

Searching for "proquota.exe"
No files found.

-=End Of File=-

Edited by Orange Blossom, 25 October 2009 - 02:16 PM.
Remove unnecessary quote. ~ OB


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 22 October 2009 - 09:25 PM

Hi, HERCULES1X :(

There is a file missing. Do you have the installation CD to recover this file?

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\WINDOWS\system32\ntelogon.dll | c:\windows\system32\netlogon.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your next reply.

Restart the computer after running Avenger if the application does to restart the computer.

Go to Start -> Run, copy and paste the following command and click OK.

CMD /C Net Start >"%Userprofile%\Desktop\Log.txt"

This should create a text file on your desktop, Log.txt. Open this file with Notepad and also post its contents in a reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 HERCULES1X

HERCULES1X
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 23 October 2009 - 12:40 AM

Hello JSntgRvr


HERE IS THE RESULTS OF THE AVENGER SCAN

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Fri Oct 23 01:20:53 2009

01:20:53: Error: Could not register cleanup.
Aborting execution! (error 0: the operation completed successfully.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\ntelogon.dll|c:\windows\system32\netlogon.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.



HERE ARE THE RESULTS OF THE LOG.TXT

These Windows services are started:

Application Layer Gateway Service
Automatic Updates
AVG8 Firewall
AVG8 WatchDog
COM+ Event System
Computer Browser
Creative Service for CDROM Access
CryptSvc
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
IPSEC Services
Logical Disk Manager
Network Connections
Network Location Awareness (NLA)
PC Tools Auxiliary Service
PC Tools Security Service
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation

The command completed successfully.



BTW. I don't have those RESTORE DISKS (usually about 5 to 6 discs) that come with the computer. I actually have the Windows XP OS disk (one DVD disk). I am not sure if they operate in the same capacity. My last computer had those restore/restoration disks, but not this one (custom made computer)

Edited by Orange Blossom, 25 October 2009 - 02:17 PM.
Remove unnecessary quote. ~ OB


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 23 October 2009 - 04:59 PM

Hi, HERCULES1X :(

I actually have the Windows XP OS disk (one DVD disk)


That is the CD we need. In order to restore these files you need to know the drive letter assigned to the DVD_CD ROM, where you will be inserting the Instalation CD. You can obtain this information by clicking on My Computer. Once you have obtained this information, insert the XP CD.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Replace the X in red with the letter assigned to your DVD_CD ROM.
  • Name the file as fix.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, click on the fix.bat file and post the resulting report.

@Echo Off
Expand X:\i386\beep.sy_ c:\windows\system32\drivers\beep.sys
Expand X:\i386\proquota.ex_ c:\windows\system32\proquota.exe
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"c:\windows\system32\drivers\beep.sys"
"c:\windows\system32\proquota.exe"
) do @if exist %%g (echo %%~g .... Restored Successfully !!>>"%temp%\log.txt") ELSE echo %%~g ..... Failed to restore!!>>"%temp%\log.txt"
start notepad "%temp%\log.txt"
Exit


Edited by JSntgRvr, 24 October 2009 - 01:35 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 24 October 2009 - 01:37 AM

Edited Post #8 due to a typo.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 HERCULES1X

HERCULES1X
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 24 October 2009 - 02:28 PM

HELLO JSntgRvr

HERE IS THE RESULT OF THE FIX.BAT

c:\windows\system32\drivers\beep.sys ..... Failed to restore!!
c:\windows\system32\proquota.exe .... Restored Successfully !!

Edited by Orange Blossom, 25 October 2009 - 02:18 PM.
Remove unnecessary quote. ~ OB


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 24 October 2009 - 03:21 PM

Lets try that again with this script:


@Echo Off
Expand X:\i386\beep.sy_ c:\windows\system32\drivers\beep.sys
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"c:\windows\system32\drivers\beep.sys"
) do @if exist %%g (echo %%~g .... Restored Successfully !!>>"%temp%\log.txt") ELSE echo %%~g ..... Failed to restore!!>>"%temp%\log.txt"
start notepad "%temp%\log.txt"
Exit


Post the Log.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 HERCULES1X

HERCULES1X
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 24 October 2009 - 10:18 PM

IT WORKED!!!

c:\windows\system32\drivers\beep.sys .... Restored Successfully !!

Edited by Orange Blossom, 25 October 2009 - 02:18 PM.
Remove unnecessary quote. ~ OB


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 24 October 2009 - 10:52 PM

Yes! Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 HERCULES1X

HERCULES1X
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 25 October 2009 - 01:41 AM

DRATS!!!...I guess we poped the champagne corks too fast...

I downloaded the JAVA, did the reboot, cleared out the JAVA folders in C drive etc all went well. Logged onto the Kaspersky site, attempted to do a online scan and as soon as the program downloaded and was about to update the definitions, my computer was shut off and rebooted. I waited adn allowed the process to go through, logged back onto the Kaspersky site again tried downloading again, but tthis time the infection won't even allow me to download the the software or updated definitions let alone do the online scan. Arrrrrggghhh!!!!

Edited by Orange Blossom, 25 October 2009 - 02:19 PM.
Remove unnecessary quote. ~ OB


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:01 PM

Posted 25 October 2009 - 10:28 AM

Please run Combofix once again and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users