Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

recurring internetsecurity2010, browser redirects, desktop/task manager/system restore hijacked


  • This topic is locked This topic is locked
9 replies to this topic

#1 mstew99

mstew99

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 28 December 2009 - 12:37 AM

I've been having a recurring problem on my computer. I keep having an issue of browser redirects when performing searches in yahoo. I'm not sure if it's related or not, but the next day after a reboot I ended up with internetsecurity2010 installed giving me false warnings, with a hijacked desktop (green or blue screen, black box saying your system is infected). It has also hijacked my task manager and my system restore. Upon getting access back to my system restore, it will not allow me to restore to an earlier date. I've ran spybot, AVG, adaware, malwarebytes, SUPERantispyware, and continue to find problems. They will fix them, and things will be okay for a little while and i'll gain access back to my desktop/task manager, but soon everything starts coming back. I just can't seem to fully get rid of whatever the problem is. Thanks for the help in advance!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 0:02:42.76 on Mon 12/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.79 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UT8OP9SF\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [RRT-Auto] c:\documents and settings\owner\my documents\my pictures\RRT(2).exe auto
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [notepad] rundll32.exe c:\docume~1\locals~1\ntload.dll,_IWMPEvents@0
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\bad467.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: puzuvusom - {a6d5d070-7a21-4fb1-a21d-34b184823460} - c:\windows\system32\fuhubuga.dll
STS: kupuhivus: {a6d5d070-7a21-4fb1-a21d-34b184823460} - c:\windows\system32\fuhubuga.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli pahekuve.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\22mkvxyl.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-20 64288]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005-8-16 4064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-23 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-23 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-23 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-23 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-23 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-3 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2004-9-2 396480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S0 bqlkbul;bqlkbul; [x]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

=============== Created Last 30 ================

2009-12-28 04:42:26 0 d-----w- c:\program files\Trend Micro
2009-12-27 15:04:10 707072 ----a-w- c:\windows\system32\drivers\jyqsjk.sys
2009-12-26 06:24:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 06:24:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 06:24:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 04:40:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-26 04:39:47 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-26 04:39:47 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-12-26 04:39:19 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-26 04:38:45 0 d-----w- C:\RRTVAULT
2009-12-24 03:35:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-23 05:23:17 0 d--h--w- C:\$AVG
2009-12-23 05:22:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-23 05:22:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-23 05:22:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-23 05:22:33 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-23 05:22:29 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-23 05:22:05 0 d-----w- c:\program files\AVG
2009-12-23 05:22:03 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-21 05:29:55 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-12-21 05:16:50 0 d-----w- c:\windows\ERUNT
2009-12-21 05:10:31 0 d-----w- C:\SDFix
2009-12-21 04:15:06 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-21 03:26:22 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-21 03:24:26 0 d-----w- C:\ComboFix
2009-12-20 03:50:59 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-18 16:16:38 0 d-----w- c:\program files\SpywareBlaster
2009-12-18 05:21:11 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-18 05:21:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-18 04:39:36 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2009-12-18 04:39:36 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2009-12-18 04:39:36 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2009-12-18 04:39:36 16244 ----a-w- c:\windows\system32\rrt_is.wav

==================== Find3M ====================

2009-12-27 07:52:23 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-09-12 03:03:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 0:05:33.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 28 December 2009 - 07:49 AM

Hi mstew99,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.
  • You have run or tried to run ComboFix. We are going to run it again. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 mstew99

mstew99
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 29 December 2009 - 01:38 AM

Thanks for the quick response. My p2p download folder is on an external hard drive that hasn't been hooked up to my computer in a month, nor have I used any of the programs in the past month or so.

I followed all of the instructions and hopefully shut off everything I was supposed to. While running combofix (it found rootkit activity), it did a restart, and popped up an error message about a file not being found (I couldn't catch the name of it before it went away). The combofix program then said do not open any programs until combofix has finished, but windows was booting up behind it and any start up programs did begin to run. Combofix finished and gave me the following log, so hopefully the above wasn't an issue. I have done a couple searches successfully with no pop ups and no browser redirects. Here is the combofix log:



ComboFix 09-12-27.04 - Owner 12/29/2009 1:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.281 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-3983569148-710326515-1904576167-1003
c:\recycler\S-1-5-21-902982549-813163802-548563926-1003
c:\windows\BackUp
c:\windows\BackUp\S\50920000.DAT
c:\windows\cdmxtras
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Install.txt
c:\windows\patch.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.231.102
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-28 04:42 . 2009-12-28 04:42 -------- d-----w- c:\program files\Trend Micro
2009-12-27 15:04 . 2009-12-29 06:17 707072 ----a-w- c:\windows\system32\drivers\jyqsjk.sys
2009-12-26 06:24 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 06:24 . 2009-12-26 06:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 06:24 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 04:40 . 2009-12-26 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 04:39 . 2009-12-26 04:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-26 04:39 . 2009-12-26 04:39 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-26 04:39 . 2009-12-26 04:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-26 04:38 . 2009-12-26 04:38 -------- d-----w- C:\RRTVAULT
2009-12-26 04:24 . 2009-12-26 04:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-12-24 03:35 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-23 05:29 . 2009-12-23 05:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AVG Security Toolbar
2009-12-23 05:23 . 2009-12-23 13:09 -------- d-----w- C:\$AVG
2009-12-23 05:22 . 2009-12-23 05:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-23 05:22 . 2009-12-23 05:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-23 05:22 . 2009-12-23 05:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-23 05:22 . 2009-12-23 05:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-23 05:22 . 2009-12-28 22:15 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-23 05:22 . 2009-12-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-23 05:22 . 2009-12-23 05:22 -------- d-----w- c:\program files\AVG
2009-12-23 05:22 . 2009-12-25 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-23 04:46 . 2009-12-23 04:46 -------- d-----w- c:\program files\ERUNT
2009-12-21 05:29 . 2009-12-21 05:29 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-12-21 05:16 . 2009-12-21 05:17 -------- d-----w- c:\windows\ERUNT
2009-12-21 05:10 . 2009-12-21 06:04 -------- d-----w- C:\SDFix
2009-12-21 04:15 . 2009-12-21 04:15 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-21 04:15 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-21 03:26 . 2009-12-21 03:26 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-20 03:50 . 2009-12-21 04:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-20 03:50 . 2009-12-20 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-18 16:16 . 2009-12-26 03:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-18 16:16 . 2009-12-18 16:17 -------- d-----w- c:\program files\SpywareBlaster
2009-12-18 05:21 . 2009-12-18 05:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-18 05:21 . 2009-12-18 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 07:52 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-26 04:40 . 2009-12-26 04:40 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 04:40 . 2009-12-26 04:40 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-23 05:22 . 2009-12-23 15:00 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-23 05:22 . 2009-12-23 15:00 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-23 05:22 . 2009-12-23 15:00 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-23 05:22 . 2009-12-23 15:00 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-23 05:22 . 2009-12-23 15:00 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-21 04:17 . 2005-05-09 17:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-21 04:17 . 2005-05-09 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-21 04:15 . 2009-12-21 04:14 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-21 04:14 . 2009-12-21 04:14 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-21 04:14 . 2009-12-21 04:14 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-21 04:14 . 2009-12-21 04:14 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-21 04:14 . 2009-12-21 04:14 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-21 04:14 . 2009-12-21 04:14 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-21 04:14 . 2009-12-21 04:14 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-21 04:14 . 2009-12-21 04:14 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-21 04:14 . 2009-12-21 04:14 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-21 04:14 . 2009-12-21 04:14 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-21 04:14 . 2009-12-21 04:14 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-21 04:14 . 2009-12-21 04:14 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-21 04:14 . 2009-12-21 04:14 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-21 03:37 . 2005-05-09 17:55 -------- d-----w- c:\program files\Symantec
2009-12-20 03:50 . 2005-09-09 06:06 -------- d-----w- c:\program files\Lavasoft
2009-12-18 06:00 . 2007-10-14 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-18 06:00 . 2007-10-14 18:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 14:10 . 2009-12-21 04:13 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-25 23:28 . 2009-04-23 17:10 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-11-25 18:01 . 2009-12-25 04:54 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-10-29 07:46 . 2005-03-23 16:53 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-03-23 16:52 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2005-03-23 16:52 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-03-23 16:52 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-03-23 16:52 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-03-23 16:52 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-03-23 16:52 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 04:51 . 2009-10-10 04:51 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2009-10-01 16:31 . 2006-02-15 07:05 49504 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-23 2033432]
"RRT-Auto"="c:\documents and settings\Owner\My Documents\My Pictures\RRT(2).exe" [2009-12-18 1738240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-15 282624]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-23 05:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^scandisk.dll]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.dll
backup=c:\windows\pss\scandisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^scandisk.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2005-11-03 03:01 50792 ----a-w- c:\program files\Common Files\AOL\Launch\aollaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2004-08-16 20:45 45056 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2009-09-14 21:48 653104 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
2004-09-22 17:08 987136 ----a-w- c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2005-11-03 03:01 50792 ----a-w- c:\program files\Common Files\AOL\1138336775\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 15:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 15:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 15:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 15:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 05:50 204800 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-07-01 21:20 212992 ----a-w- C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 22:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-15 16:50 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-02-02 16:38 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RRT-Auto]
2009-12-18 04:39 1738240 ----a-w- c:\documents and settings\Owner\My Documents\My Pictures\RRT(2).exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2008-10-07 15:23 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 18:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThrustTSR]
2000-10-12 04:15 151552 ----a-w- c:\program files\ThrustMaster\ThrustMapper\TMTMTSR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-02-02 16:38 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-08-27 15:05 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-04-01 18:49 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2008-10-07 15:23 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 17:16 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138336775\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138336775\\ee\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/20/2009 11:15 PM 64288]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [8/16/2005 6:09 PM 4064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/23/2009 12:22 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/23/2009 12:22 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/23/2009 12:22 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/23/2009 12:22 AM 285392]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/3/2007 1:47 AM 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [9/2/2004 8:01 PM 396480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S0 bqlkbul;bqlkbul; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - jyqsjk
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\22mkvxyl.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-notepad - c:\docume~1\LOCALS~1\ntload.dll
SharedTaskScheduler-{a6d5d070-7a21-4fb1-a21d-34b184823460} - c:\windows\system32\fuhubuga.dll
SSODL-puzuvusom-{a6d5d070-7a21-4fb1-a21d-34b184823460} - c:\windows\system32\fuhubuga.dll
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AltnetPointsManager - c:\program files\altnet\points manager\points manager.exe
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Cleanup - c:\docume~1\Owner\LOCALS~1\Temp\2006217172226_mcappins.exe
MSConfigStartUp-InstaFinderK - c:\program files\INSTAFINK\InstaFinderK_inst.exe
MSConfigStartUp-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-losunusig - c:\windows\system32\nazoduse.dll
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-msci - c:\docume~1\Owner\LOCALS~1\Temp\2006217172226_mcinfo.exe
MSConfigStartUp-notepad - c:\windows\system32\notepad.dll
MSConfigStartUp-P2P Networking - c:\windows\system32\P2P Networking\P2P Networking.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
MSConfigStartUp-winupdate86 - c:\windows\system32\winupdate86.exe
MSConfigStartUp-_AntiSpyware - c:\program files\McAfee\McAfee AntiSpyware\MssCli.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 01:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\jyqsjk]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3247447624-1653099950-3516615924-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9FB7C5F-7230-B090-CE18-B33FC80A9E65}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oameblgmjodagnnhaaabialoakigio"=hex:64,61,6d,6f,62,6a,67,65,00,70
"oaaiginkofjlimaaadoekjekmbenjf"=hex:6a,61,70,6f,67,65,6e,66,62,6e,65,61,66,67,
6a,65,68,68,6e,63,00,fd
"nagfmkpkgmefjiipdnflgogaejkn"=hex:6a,61,6a,70,65,6b,63,6c,63,6e,67,61,66,6e,
69,6a,6d,70,6b,65,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-12-29 01:27:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 06:27

Pre-Run: 46,500,806,656 bytes free
Post-Run: 47,482,818,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B1EAC064BB077FF587B9A8DC525BAE7C

Edited by mstew99, 29 December 2009 - 01:42 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 29 December 2009 - 07:21 AM

Well done. :(
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    driver::
    bqlkbul
    ndisdrv
    jyqsjk
    RegNull::
    [HKEY_USERS\S-1-5-21-3247447624-1653099950-3516615924-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9FB7C5F-7230-B090-CE18-B33FC80A9E65}*]
    RegLockDell::
    [HKEY_USERS\S-1-5-21-3247447624-1653099950-3516615924-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9FB7C5F-7230-B090-CE18-B33FC80A9E65}]
    registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RRT-Auto"=-
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"=-
    "NoActiveDesktopChanges"=-
    [-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^scandisk.dll]
    [-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^scandisk.lnk]
    [-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\jyqsjk]
    [-HKEY_USERS\S-1-5-21-3247447624-1653099950-3516615924-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9FB7C5F-7230-B090-CE18-B33FC80A9E65}]
    rootkit::
    C:\WINDOWS\system32\drivers\jyqsjk.sys
    File::
    c:\documents and settings\Owner\My Documents\My Pictures\RRT(2).exe
    c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.dll
    c:\windows\pss\scandisk.dllStartup
    c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
    c:\windows\pss\scandisk.lnkStartup

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#5 mstew99

mstew99
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 30 December 2009 - 04:02 AM

Everything went smoothly, here is the new combofix log:

ComboFix 09-12-27.04 - Owner 12/30/2009 3:35.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.235 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Owner\My Documents\My Pictures\RRT(2).exe"
"c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.dll"
"c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk"
"c:\windows\pss\scandisk.dllStartup"
"c:\windows\pss\scandisk.lnkStartup"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\My Pictures\RRT(2).exe
c:\windows\pss\scandisk.lnkStartup

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BQLKBUL
-------\Legacy_JYQSJK
-------\Legacy_NDISDRV
-------\Service_bqlkbul
-------\Service_jyqsjk
-------\Service_ndisdrv


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-28 04:42 . 2009-12-28 04:42 -------- d-----w- c:\program files\Trend Micro
2009-12-26 06:24 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 06:24 . 2009-12-26 06:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 06:24 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 04:40 . 2009-12-26 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 04:39 . 2009-12-26 04:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-26 04:39 . 2009-12-26 04:39 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-26 04:39 . 2009-12-26 04:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-26 04:38 . 2009-12-26 04:38 -------- d-----w- C:\RRTVAULT
2009-12-26 04:24 . 2009-12-26 04:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-12-24 03:35 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-23 05:29 . 2009-12-23 05:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AVG Security Toolbar
2009-12-23 05:23 . 2009-12-23 13:09 -------- d-----w- C:\$AVG
2009-12-23 05:22 . 2009-12-23 05:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-23 05:22 . 2009-12-23 05:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-23 05:22 . 2009-12-23 05:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-23 05:22 . 2009-12-23 05:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-23 05:22 . 2009-12-29 23:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-23 05:22 . 2009-12-30 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-23 05:22 . 2009-12-23 05:22 -------- d-----w- c:\program files\AVG
2009-12-23 05:22 . 2009-12-25 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-23 04:46 . 2009-12-23 04:46 -------- d-----w- c:\program files\ERUNT
2009-12-21 05:29 . 2009-12-21 05:29 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-12-21 05:16 . 2009-12-21 05:17 -------- d-----w- c:\windows\ERUNT
2009-12-21 05:10 . 2009-12-21 06:04 -------- d-----w- C:\SDFix
2009-12-21 04:15 . 2009-12-21 04:15 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-21 04:15 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-21 03:26 . 2009-12-21 03:26 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-20 03:50 . 2009-12-21 04:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-20 03:50 . 2009-12-20 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-18 16:16 . 2009-12-26 03:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-18 16:16 . 2009-12-18 16:17 -------- d-----w- c:\program files\SpywareBlaster
2009-12-18 05:21 . 2009-12-18 05:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-18 05:21 . 2009-12-18 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 07:52 . 2004-08-04 05:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-26 04:40 . 2009-12-26 04:40 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 04:40 . 2009-12-26 04:40 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-23 05:22 . 2009-12-23 15:00 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-23 05:22 . 2009-12-23 15:00 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-23 05:22 . 2009-12-23 15:00 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-23 05:22 . 2009-12-23 15:00 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-23 05:22 . 2009-12-23 15:00 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-21 04:17 . 2005-05-09 17:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-21 04:17 . 2005-05-09 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-21 04:15 . 2009-12-21 04:14 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-21 04:14 . 2009-12-21 04:14 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-21 04:14 . 2009-12-21 04:14 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-21 04:14 . 2009-12-21 04:14 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-21 04:14 . 2009-12-21 04:14 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-21 04:14 . 2009-12-21 04:14 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-21 04:14 . 2009-12-21 04:14 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-21 04:14 . 2009-12-21 04:14 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-21 04:14 . 2009-12-21 04:14 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-21 04:14 . 2009-12-21 04:14 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-21 04:14 . 2009-12-21 04:14 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-21 04:14 . 2009-12-21 04:14 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-21 04:14 . 2009-12-21 04:14 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-21 03:37 . 2005-05-09 17:55 -------- d-----w- c:\program files\Symantec
2009-12-20 03:50 . 2005-09-09 06:06 -------- d-----w- c:\program files\Lavasoft
2009-12-18 06:00 . 2007-10-14 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-18 06:00 . 2007-10-14 18:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 14:10 . 2009-12-21 04:13 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-25 23:28 . 2009-04-23 17:10 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-11-25 18:01 . 2009-12-25 04:54 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-10-29 07:46 . 2005-03-23 16:53 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-03-23 16:52 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2005-03-23 16:52 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-03-23 16:52 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-03-23 16:52 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-03-23 16:52 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-03-23 16:52 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 04:51 . 2009-10-10 04:51 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2009-10-01 16:31 . 2006-02-15 07:05 49504 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-23 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-15 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-23 05:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2005-11-03 03:01 50792 ----a-w- c:\program files\Common Files\AOL\Launch\aollaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2004-08-16 20:45 45056 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2009-09-14 21:48 653104 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
2004-09-22 17:08 987136 ----a-w- c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2005-11-03 03:01 50792 ----a-w- c:\program files\Common Files\AOL\1138336775\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 15:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 15:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 15:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 15:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 05:50 204800 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-07-01 21:20 212992 ----a-w- C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 22:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-15 16:50 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-02-02 16:38 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2008-10-07 15:23 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 18:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThrustTSR]
2000-10-12 04:15 151552 ----a-w- c:\program files\ThrustMaster\ThrustMapper\TMTMTSR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-02-02 16:38 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-08-27 15:05 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-04-01 18:49 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2008-10-07 15:23 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 17:16 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138336775\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138336775\\ee\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/20/2009 11:15 PM 64288]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [8/16/2005 6:09 PM 4064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/23/2009 12:22 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/23/2009 12:22 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/23/2009 12:22 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/23/2009 12:22 AM 285392]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/3/2007 1:47 AM 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [9/2/2004 8:01 PM 396480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\22mkvxyl.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RRT-Auto - c:\documents and settings\Owner\My Documents\My Pictures\RRT(2).exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 03:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-12-30 03:53:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 08:53
ComboFix2.txt 2009-12-29 06:27

Pre-Run: 47,445,569,536 bytes free
Post-Run: 47,439,302,656 bytes free

- - End Of File - - 1A14412BC7F401C9BCA6BBAA8EB49AB4



And here is the Malwarebytes log:


Malwarebytes' Anti-Malware 1.42
Database version: 3454
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/30/2009 3:59:53 AM
mbam-log-2009-12-30 (03-59-53).txt

Scan type: Quick Scan
Objects scanned: 116333
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 30 December 2009 - 05:01 AM

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • Tell me also how is your computer running.


#7 mstew99

mstew99
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 31 December 2009 - 12:18 AM

New Java installed. There's a good possibility I picked up whatever I had through java.

From what I can tell, everything is 100% back to normal. If i have a clean bill now, I thank you so very much for your help. I had been fighting with this thing for weeks, and normally can get rid of anything with a little poking around online. This one went a bit over my head. Thanks again for the help!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 31 December 2009 - 02:08 AM

You are very welcome. :(

The rogue part is not so difficult to remove but the rootkit component is very hard to fight with usual tools and scanners.

Everything looks good. :(

It is important to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Happy Computing mstew99. :)

#9 mstew99

mstew99
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 01 January 2010 - 04:26 PM

Okay, removed. Thanks again for everything.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 01 January 2010 - 05:33 PM

Glad I could help. :(

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users