Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Wish I Knew What To Put Here But I Don't


  • Please log in to reply
20 replies to this topic

#1 mrmahaffy

mrmahaffy

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 14 April 2010 - 10:25 AM


Beforehand I would like to let the one that helps with this that there are not enough words to express my gratitude,

Jerry

My computer shuts down when ever it wants, my cursor goes where ever and when ever it wants, it take about 10 seconds for IE7 to close once I click on the red close button.

One day after it shut itself down the following poped up out of no where and all programs, startup programs and every thing in the system tray is running just fine.

I have DSL and operating online just as well be dial-up. crazy.gif



Two days ago I clicked on a web link and the following below poped up. I had this happen before and I don't even want to go there with the problem that was. I got rid of that virus but not sure if I got everything associated with it.

On the pic below I recognized what it was and imediately hit the red close button. It did not install itself but not sure if there is any part of it on my hardrive. mad.gif



DDS Log



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 7:23:38.81 on Wed 04/14/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.319 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://help.godaddy.com/article/4692
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [wben] "c:\program files\starfield\desktop notifier\wben.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [cdloader] "c:\documents and settings\owner\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SkinClock] c:\program files\atomic alarm clock\AtomicAlarmClock.exe
uRun: [ContactKeeper Birthday reminder] "c:\program files\contactkeeper\ContactKeeper.exe" /Reminder
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Power2GoExpress] NA
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\KybtecWcCaller.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\msinfo\MSINF16H.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\common files\microsoft shared\msinfo\MSINF16H.EXE
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Identities Editor - file://c:\program files\siber systems\ai roboform\RoboFormComEditIdent.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {45DB34C3-955C-11D3-ABEF-444553540000} - c:\program files\siber systems\ai roboform\RoboFormComEditIdent.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Peggle/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-4 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-4 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2009-11-9 25088]

=============== Created Last 30 ================

2010-04-14 12:20:31 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-14 02:55:32 0 d-----w- c:\program files\Bricks of Egypt
2010-04-14 02:55:18 0 d-----w- c:\program files\ReflexiveArcade
2010-04-14 02:29:12 0 d-----w- c:\program files\Shockwave.com
2010-04-14 01:07:42 0 d-----w- c:\windows\pss
2010-04-13 23:23:12 0 d-----w- c:\program files\Runtime Software
2010-04-13 23:11:14 0 d-----w- c:\windows\system32\NtmsData
2010-04-13 22:39:29 0 d-sha-w- c:\windows\Repair
2010-04-13 21:33:08 0 d-----w- c:\program files\Cobian Backup 10
2010-04-13 17:03:32 76082 ------w- C:\Malicious virus.gif
2010-04-11 03:03:36 0 d-----w- c:\docume~1\owner\applic~1\Ancient Quest of Saqqarah_alawar
2010-04-10 02:54:42 0 d-----w- c:\docume~1\owner\applic~1\PTV Game
2010-04-10 01:50:45 28 ----a-w- c:\windows\popcinfot.dat
2010-04-10 01:50:20 0 d-----w- c:\docume~1\owner\applic~1\PopCapv1003
2010-04-09 00:42:48 0 d-----w- C:\My Games
2010-04-09 00:42:40 0 d-----w- c:\docume~1\alluse~1\applic~1\AlawarGameBox
2010-04-09 00:13:05 0 d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games
2010-04-09 00:12:52 0 d-----w- c:\program files\PopCap Games
2010-04-08 06:19:00 0 d-----w- c:\docume~1\alluse~1\applic~1\AlawarWrapper
2010-04-08 06:18:41 0 d-----w- c:\program files\Alawar
2010-04-07 03:50:16 0 d-----w- c:\docume~1\owner\applic~1\iWin
2010-04-07 00:27:43 0 d-----w- c:\docume~1\alluse~1\applic~1\CA
2010-04-06 16:12:50 584 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-06 15:37:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-04-06 15:35:41 0 d-----w- c:\program files\common files\iS3
2010-04-06 15:35:40 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-04-06 15:10:10 0 d-----w- c:\program files\Eusing Free Registry Cleaner
2010-04-06 14:57:22 0 d-----w- c:\program files\MRU-Blaster
2010-04-06 14:49:43 0 d-----w- c:\program files\SpywareGuard
2010-04-06 13:52:57 0 d-----w- c:\program files\SpywareBlaster
2010-04-06 00:39:36 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-04-05 06:22:20 0 d-----w- c:\docume~1\alluse~1\applic~1\MumboJumbo
2010-04-05 04:18:59 0 d-----w- c:\docume~1\alluse~1\applic~1\TERMINAL Studio
2010-04-05 03:14:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Playrix Entertainment
2010-04-04 13:29:36 4544 ----a-w- c:\windows\MSOClip.232
2010-04-04 13:29:35 10304 ----a-w- c:\windows\MSOPrefs.232
2010-04-04 13:14:07 0 d-----w- c:\docume~1\owner\applic~1\AVG8
2010-04-03 17:38:11 850 ----a-w- c:\windows\system32\ProductTweaks.xml
2010-04-03 17:38:11 385 ----a-w- c:\windows\system32\user_gensett.xml
2010-04-03 17:34:41 81984 ----a-w- c:\windows\system32\bdod.bin
2010-03-30 01:12:19 7168 ----a-w- c:\windows\Owner.pcb
2010-03-24 01:59:58 0 d-----w- c:\windows\system32\aliedit
2010-03-19 14:25:19 0 d-----w- C:\WordPress
2010-03-16 21:01:18 0 d-----w- C:\ZPE
2010-03-15 14:16:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-03-15 14:16:54 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 14:15:50 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 23:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-08 00:59:36 72080 ----a-w- c:\documents and settings\owner\g2mdlhlpx.exe
2010-02-27 00:29:24 499712 ----a-w- c:\windows\iwexec.exe
2010-02-24 05:47:43 249856 ------w- c:\windows\Setup1.exe
2010-02-24 05:47:31 73216 ----a-w- c:\windows\ST6UNST.EXE

============= FINISH: 7:24:02.49 ===============




















Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:29 AM

Posted 14 April 2010 - 10:31 AM

Hello, mrmahaffy

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Let's begin with ComboFix:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 mrmahaffy

mrmahaffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 15 April 2010 - 08:46 AM

Thank you so very much for your help.

Below is the ComboFix Log.

Jerry

ComboFix 10-04-14.01 - Owner 04/15/2010 8:23.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.364 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\System
c:\documents and settings\Owner\System\win_qs8.jqx

.
((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-15 12:56 . 2010-04-15 12:56 3262 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{D61F7835-65DF-4662-9A71-CD51F8FC0CE4}\_3D3BEF138285965BE9C4E7.exe
2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Starfield
2010-04-15 09:00 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2010-04-15 08:59 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe
2010-04-14 23:57 . 2010-04-14 23:57 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-14 23:57 . 2010-04-14 23:57 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-14 23:56 . 2010-04-14 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-14 23:55 . 2010-04-14 23:55 65024 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-04-14 23:55 . 2010-04-14 23:55 5120 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-04-14 23:55 . 2010-04-14 23:55 18944 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-04-14 23:55 . 2010-04-14 23:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 23:55 . 2010-04-14 23:55 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-04-14 23:54 . 2010-04-14 23:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-14 23:36 . 2010-04-14 23:36 2389388 ----a-w- C:\MGtools.exe
2010-04-14 22:48 . 2010-04-14 22:52 -------- d-----w- c:\program files\CCleaner
2010-04-14 02:55 . 2010-04-14 06:43 -------- d-----w- c:\program files\Bricks of Egypt
2010-04-14 02:55 . 2010-04-14 02:55 -------- d-----w- c:\program files\ReflexiveArcade
2010-04-14 02:29 . 2010-04-14 02:29 -------- d-----w- c:\program files\Shockwave.com
2010-04-13 23:23 . 2010-04-13 23:23 -------- d-----w- c:\program files\Runtime Software
2010-04-13 23:11 . 2010-04-13 23:28 -------- d-----w- c:\windows\system32\NtmsData
2010-04-13 22:39 . 2010-04-14 01:57 -------- d-sha-w- c:\windows\Repair
2010-04-13 21:34 . 2010-04-13 21:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Safe mirror
2010-04-13 21:33 . 2010-04-14 00:04 -------- d-----w- c:\program files\Cobian Backup 10
2010-04-11 03:03 . 2010-04-11 03:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Ancient Quest of Saqqarah_alawar
2010-04-10 03:25 . 2010-04-10 03:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adept Studios
2010-04-10 02:54 . 2010-04-10 03:12 -------- d-----w- c:\documents and settings\Owner\Application Data\PTV Game
2010-04-10 01:50 . 2010-04-10 02:53 28 ----a-w- c:\windows\popcinfot.dat
2010-04-10 01:50 . 2010-04-10 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\PopCapv1003
2010-04-09 00:42 . 2010-04-09 00:42 -------- d-----w- C:\My Games
2010-04-09 00:42 . 2010-04-11 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarGameBox
2010-04-09 00:13 . 2010-04-09 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-04-09 00:12 . 2010-04-10 02:54 -------- d-----w- c:\program files\PopCap Games
2010-04-08 06:19 . 2010-04-11 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-04-08 06:18 . 2010-04-11 02:56 -------- d-----w- c:\program files\Alawar
2010-04-07 03:50 . 2010-04-07 03:50 -------- d-----w- c:\documents and settings\Owner\Application Data\iWin
2010-04-07 00:27 . 2010-04-07 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-04-06 15:37 . 2010-04-06 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-06 15:35 . 2010-04-06 15:35 -------- d-----w- c:\program files\Common Files\iS3
2010-04-06 15:35 . 2010-04-06 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-04-06 15:10 . 2010-04-14 01:59 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-04-06 14:57 . 2010-04-14 01:59 -------- d-----w- c:\program files\MRU-Blaster
2010-04-06 14:49 . 2010-04-14 02:02 -------- d-----w- c:\program files\SpywareGuard
2010-04-06 13:52 . 2010-04-14 02:02 -------- d-----w- c:\program files\SpywareBlaster
2010-04-06 00:39 . 2010-04-06 00:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-04-05 06:22 . 2010-04-07 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-04-05 04:18 . 2010-04-05 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\TERMINAL Studio
2010-04-05 03:14 . 2010-04-05 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2010-04-04 13:14 . 2010-04-04 13:14 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2010-04-03 17:34 . 2010-04-04 13:04 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-02 20:26 . 2010-04-02 20:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Opera
2010-04-02 20:25 . 2010-04-02 20:25 -------- d-----w- c:\program files\Opera
2010-04-01 13:42 . 2010-04-01 21:43 -------- d-----w- c:\windows\BDOSCAN8
2010-03-28 22:13 . 2010-03-28 22:13 -------- d-----w- c:\program files\Common Files\Skype
2010-03-24 01:59 . 2010-03-24 01:59 -------- d-----w- c:\windows\system32\aliedit
2010-03-19 14:25 . 2010-03-22 14:36 -------- d-----w- C:\WordPress
2010-03-16 21:01 . 2010-04-13 22:46 -------- d-----w- C:\ZPE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 09:01 . 2009-11-10 19:07 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2010-04-15 08:44 . 2009-09-15 21:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-04-15 06:55 . 2009-09-29 01:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-15 05:03 . 2009-09-15 21:22 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-04-15 00:19 . 2010-01-21 21:27 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-14 22:12 . 2009-07-06 04:48 -------- d-----w- c:\program files\Common Files\Real
2010-04-14 22:10 . 2009-07-06 08:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-14 22:05 . 2009-07-06 04:43 -------- d-----w- c:\program files\Java
2010-04-14 22:05 . 2009-07-06 04:43 -------- d-----w- c:\program files\Common Files\Java
2010-04-14 01:51 . 2009-07-06 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-14 01:51 . 2009-07-06 04:48 -------- d-----w- c:\program files\Viewpoint
2010-04-13 23:25 . 2009-09-18 21:03 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-06 18:10 . 2010-04-06 16:12 584 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-29 21:23 . 2009-09-15 21:19 -------- d-----r- c:\program files\Skype
2010-03-15 14:16 . 2009-10-04 13:53 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 14:16 . 2010-03-15 14:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 14:16 . 2009-10-04 13:53 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 14:15 . 2009-10-04 13:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 00:55 . 2010-03-12 00:55 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cc4b29a-n\msvcp71.dll
2010-03-12 00:55 . 2010-03-12 00:55 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cc4b29a-n\jmc.dll
2010-03-12 00:55 . 2010-03-12 00:55 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cc4b29a-n\msvcr71.dll
2010-03-12 00:55 . 2010-03-12 00:55 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-48104c0c-n\decora-sse.dll
2010-03-12 00:55 . 2010-03-12 00:55 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-48104c0c-n\decora-d3d.dll
2010-03-11 12:38 . 2007-07-11 20:28 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2007-07-11 20:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2007-07-11 20:21 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2007-07-11 20:28 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 15:50 . 2010-03-08 15:49 -------- d-----w- c:\documents and settings\Owner\Application Data\SmartDraw
2010-03-08 15:49 . 2005-01-10 01:26 44064 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-08 00:59 . 2009-11-20 00:43 72080 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
2010-03-06 20:44 . 2010-03-06 20:44 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2010-03-06 02:22 . 2010-03-06 02:22 -------- d-----w- c:\documents and settings\Owner\Application Data\FileMaker
2010-03-06 02:22 . 2009-07-06 04:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-28 23:46 . 2010-02-28 23:46 -------- d-----w- c:\program files\Atomic Alarm Clock
2010-02-27 00:29 . 2010-02-27 00:29 499712 ----a-w- c:\windows\iwexec.exe
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-02 04:10 6870864 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-02 04:10 743872 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe
2010-02-24 12:31 . 2007-07-11 20:25 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 05:47 . 2010-02-24 05:47 249856 ------w- c:\windows\Setup1.exe
2010-02-24 05:47 . 2010-02-24 05:47 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-23 05:49 . 2010-02-23 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2010-02-21 20:47 . 2009-09-16 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-17 16:57 . 2009-07-06 03:21 2063744 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 17:37 . 2007-07-11 20:26 2186880 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-15 08:34 . 2010-02-15 07:40 -------- d-----w- c:\documents and settings\Owner\Application Data\MB3
2010-02-12 04:47 . 2007-07-11 20:20 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2007-07-11 20:27 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-11-01 160592]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2009-04-27 1742848]
"ContactKeeper Birthday reminder"="c:\program files\ContactKeeper\ContactKeeper.exe" [2009-10-20 876544]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]
"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-09-24 338456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-12-06 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
KybtecWcCaller.exe [2006-12-3 6144]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2009-10-10 22486]
Microsoft Find Fast.lnk - c:\program files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE [1997-8-6 16304]
Office Startup.lnk - c:\program files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE [1997-8-6 16304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 14:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Namo\\WebEditor 5\\bin\\WebEditor.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/4/2009 8:53 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/4/2009 8:53 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/15/2010 9:15 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 9:16 AM 308064]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [11/9/2009 12:12 PM 25088]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.godaddy.com/default.aspx?ci=13334
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Identities Editor - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 08:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-15 08:32:21
ComboFix-quarantined-files.txt 2010-04-15 13:32

Pre-Run: 121,019,162,624 bytes free
Post-Run: 121,033,256,960 bytes free

- - End Of File - - B7500C672B38F95A83D8C39177C1E986


#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:29 AM

Posted 15 April 2010 - 11:37 AM

How is your computer behaving now?

Suspicious File

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install2.exe
c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\install.exe
c:\windows\Setup1.exe
c:\windows\system32\drivers\tcpip6.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


In your next reply, please post:
  • Jotti results
  • Gmer log

Edited by Jat90, 15 April 2010 - 11:38 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 mrmahaffy

mrmahaffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 15 April 2010 - 06:28 PM

It seems to be better in certain areas. Closing IE Browser now closes immediately "Cant Run 16-bit Windows Program" still shows up when re-booting and re-booting is still very slow. For now the cursor seems to do what I want it to do with less mind of it's own. whistling.gif

I have pasted the Joti scan results and the gmer.log below.

Waiting for additional orders from headquaters. thumbup2.gif

Thanks, Jerry

==========================

JOTI Scan Results c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install2.exe

Filename: install2.exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 15 Apr 2010 23:18:35 (CET) Permalink

Additional info
File size: 743872 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 2c68803238548150b8caeae665e0edee
SHA1: de818cac37662bb0dcd64e091ce72faf054b32ee

--------------------------------------------------------------------------------

Scan Results c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\install.exe

Filename: install.exe
Status: Scanning file...
Scan taken on: Thu 15 Apr 2010 23:33:15 (CET) Permalink

File size: 743872 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 2c68803238548150b8caeae665e0edee
SHA1: de818cac37662bb0dcd64e091ce72faf054b32ee

----------------------------------------------------------------------------------

Scan Results c:\windows\Setup1.exe


Filename: Setup1.exe
Status: Scan finished. 0 out of 14 scanners reported malware.
Scan taken on: Thu 15 Apr 2010 23:30:20 (CET) Permalink

File size: 249856 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: b9917fc4c836776765e311fff84dd534
SHA1: 63cf6b3992f2058f6a5995293e1017627569f8b5

------------------------------------------------------------------------------------

Scan Results for c:\windows\system32\drivers\tcpip6.sys

Filename: tcpip6.sys
Status: Scanning file...
Scan taken on: Thu 15 Apr 2010 23:36:41 (CET) Permalink

File size: 226880 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: be4007ab8c9b62e3688fc2f469b98190
SHA1: d9e1e2d0de86f47a59e35a0f6c8f2209da870a39
Packer (Kaspersky): PE_Patch

==========================================================
==========================================================


GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 18:08:16
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE2F2320]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


















#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:29 AM

Posted 15 April 2010 - 06:37 PM

Hello,

Quick question, do you know of any program you installed called MagicJack? or a folder called mjusbsp?

It looks suspicious but I thought I'd check with you before hand.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 mrmahaffy

mrmahaffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 16 April 2010 - 01:03 PM

Yes, it is a utility that plugs into a USB port to make phone calls through for free calling.

http://www.magicjack.com/6/index.asp

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:29 AM

Posted 16 April 2010 - 04:49 PM

Hello,

Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 mrmahaffy

mrmahaffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 16 April 2010 - 06:42 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/16/2010 6:40:01 PM
mbam-log-2010-04-16 (18-40-01).txt

Scan type: Quick scan
Objects scanned: 112357
Time elapsed: 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:29 AM

Posted 17 April 2010 - 10:01 AM

Hello,

Looks like mostly everything is gone, MBAM caught some adware there but it shouldn't be anything to worry about.

How is your PC now? Let's perform an online scan to clarify:

ESET Online Scan

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Edited by Jat90, 17 April 2010 - 10:01 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 mrmahaffy

mrmahaffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 18 April 2010 - 10:58 AM

I ran the ESET scanner four times and all four times it said no problems found.

However, the notice below still shows up when re-booting for no reason and
does give a clue as to which program.



Also this morning my cursor developed a mind of it's own again. Other than that
computer seems to respond much faster.








#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:29 AM

Posted 18 April 2010 - 12:03 PM

Hello,

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\popcinfot.dat
c:\windows\iwexec.exe
c:\windows\system32\bdod.bin

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

That error message you've shown can occur if Config.nt or Autoexec.nt are missing or corrupt, let's try these steps:
  1. Click Start, click Run, type c:\windows\repair, and then click OK.
  2. Right-click Autoexec.nt, and then click Copy.
  3. Click Start, click Run, type c:\windows\system32, and then click OK.
  4. Right-click anywhere in that folder, and then click Paste.
  5. Right-click the Autoexec.nt file that you just copied, and then click Properties.
  6. Click to select Read-Only, and then click OK.
  7. Repeat steps 1 through 6 to copy the Config.nt file.
Note: You must enable Read-Only permissions or the files will be removed after you restart Windows.


As for your mouse going crazy, I don't know what thats down to huh.gif But let me know if your error message still appears
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 mrmahaffy

mrmahaffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 19 April 2010 - 10:55 AM

Thanks Jat90,

The ComboFix log is below.

As for the other instructions there was no Autoexec.nt or the Config.nt in the c:\windows\repair folder.

I copied those files from C;\windows\system32 folder to c:\windows\repair folder and set both to Read Only.

On re-booting the same banner appears.


===============================================================

ComboFix 10-04-18.04 - Owner 04/19/2010 10:31:33.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.320 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\iwexec.exe"
"c:\windows\popcinfot.dat"
"c:\windows\system32\bdod.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\iwexec.exe
c:\windows\popcinfot.dat
c:\windows\system32\bdod.bin

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-19 04:07 . 2010-04-19 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-19 04:07 . 2010-04-19 04:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-04-19 04:07 . 2010-04-19 04:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-04-19 04:07 . 2010-04-19 05:17 -------- d-----w- c:\program files\Yahoo!
2010-04-18 12:51 . 2010-04-18 12:51 -------- d-----w- c:\windows\LastGood
2010-04-18 11:09 . 2010-04-18 11:09 -------- d-----w- c:\program files\Starfield
2010-04-17 20:14 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2010-04-17 20:14 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe
2010-04-17 15:29 . 2010-04-17 15:29 -------- d-----w- c:\program files\ESET
2010-04-16 23:09 . 2010-04-16 23:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-16 23:08 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-16 23:08 . 2010-04-16 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-16 23:08 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 23:08 . 2010-04-16 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 21:45 . 2010-04-15 21:47 -------- d-----w- C:\Gimer
2010-04-14 23:57 . 2010-04-14 23:57 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-14 23:57 . 2010-04-14 23:57 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-14 23:56 . 2010-04-14 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-14 23:55 . 2010-04-14 23:55 65024 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-04-14 23:55 . 2010-04-14 23:55 5120 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-04-14 23:55 . 2010-04-14 23:55 18944 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-04-14 23:55 . 2010-04-16 00:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 23:55 . 2010-04-14 23:55 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-04-14 23:54 . 2010-04-14 23:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-14 23:36 . 2010-04-14 23:36 2389388 ----a-w- C:\MGtools.exe
2010-04-14 22:48 . 2010-04-14 22:52 -------- d-----w- c:\program files\CCleaner
2010-04-14 02:55 . 2010-04-14 06:43 -------- d-----w- c:\program files\Bricks of Egypt
2010-04-14 02:55 . 2010-04-14 02:55 -------- d-----w- c:\program files\ReflexiveArcade
2010-04-14 02:29 . 2010-04-14 02:29 -------- d-----w- c:\program files\Shockwave.com
2010-04-13 23:23 . 2010-04-13 23:23 -------- d-----w- c:\program files\Runtime Software
2010-04-13 23:11 . 2010-04-13 23:28 -------- d-----w- c:\windows\system32\NtmsData
2010-04-13 22:39 . 2010-04-14 01:57 -------- d-sha-w- c:\windows\Repair
2010-04-13 21:34 . 2010-04-13 21:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Safe mirror
2010-04-13 21:33 . 2010-04-14 00:04 -------- d-----w- c:\program files\Cobian Backup 10
2010-04-11 03:03 . 2010-04-11 03:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Ancient Quest of Saqqarah_alawar
2010-04-10 03:25 . 2010-04-10 03:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adept Studios
2010-04-10 02:54 . 2010-04-10 03:12 -------- d-----w- c:\documents and settings\Owner\Application Data\PTV Game
2010-04-10 01:50 . 2010-04-10 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\PopCapv1003
2010-04-09 00:42 . 2010-04-09 00:42 -------- d-----w- C:\My Games
2010-04-09 00:42 . 2010-04-11 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarGameBox
2010-04-09 00:13 . 2010-04-09 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-04-09 00:12 . 2010-04-10 02:54 -------- d-----w- c:\program files\PopCap Games
2010-04-08 06:19 . 2010-04-11 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-04-08 06:18 . 2010-04-11 02:56 -------- d-----w- c:\program files\Alawar
2010-04-07 03:50 . 2010-04-07 03:50 -------- d-----w- c:\documents and settings\Owner\Application Data\iWin
2010-04-07 00:27 . 2010-04-07 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-04-06 15:37 . 2010-04-06 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-06 15:35 . 2010-04-06 15:35 -------- d-----w- c:\program files\Common Files\iS3
2010-04-06 15:35 . 2010-04-06 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-04-06 15:10 . 2010-04-14 01:59 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-04-06 14:57 . 2010-04-14 01:59 -------- d-----w- c:\program files\MRU-Blaster
2010-04-06 14:49 . 2010-04-14 02:02 -------- d-----w- c:\program files\SpywareGuard
2010-04-06 13:52 . 2010-04-14 02:02 -------- d-----w- c:\program files\SpywareBlaster
2010-04-06 00:39 . 2010-04-06 00:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-04-05 06:22 . 2010-04-07 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-04-05 04:18 . 2010-04-05 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\TERMINAL Studio
2010-04-05 03:14 . 2010-04-05 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2010-04-04 13:14 . 2010-04-04 13:14 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2010-04-02 20:26 . 2010-04-02 20:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Opera
2010-04-02 20:25 . 2010-04-02 20:25 -------- d-----w- c:\program files\Opera
2010-04-01 13:42 . 2010-04-01 21:43 -------- d-----w- c:\windows\BDOSCAN8
2010-03-28 22:13 . 2010-03-28 22:13 -------- d-----w- c:\program files\Common Files\Skype
2010-03-24 01:59 . 2010-03-24 01:59 -------- d-----w- c:\windows\system32\aliedit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 15:38 . 2009-09-15 21:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-04-19 13:32 . 2009-09-15 21:22 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-04-19 03:39 . 2010-01-21 21:27 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-19 02:09 . 2009-09-29 01:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 20:15 . 2009-11-10 19:07 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2010-04-16 00:28 . 2009-09-18 21:03 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-14 22:12 . 2009-07-06 04:48 -------- d-----w- c:\program files\Common Files\Real
2010-04-14 22:10 . 2009-07-06 08:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-14 22:05 . 2009-07-06 04:43 -------- d-----w- c:\program files\Java
2010-04-14 22:05 . 2009-07-06 04:43 -------- d-----w- c:\program files\Common Files\Java
2010-04-14 01:51 . 2009-07-06 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-14 01:51 . 2009-07-06 04:48 -------- d-----w- c:\program files\Viewpoint
2010-04-06 18:10 . 2010-04-06 16:12 584 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-29 21:23 . 2009-09-15 21:19 -------- d-----r- c:\program files\Skype
2010-03-15 14:16 . 2009-10-04 13:53 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 14:16 . 2010-03-15 14:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 14:16 . 2009-10-04 13:53 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 14:15 . 2009-10-04 13:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 00:55 . 2010-03-12 00:55 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cc4b29a-n\msvcp71.dll
2010-03-12 00:55 . 2010-03-12 00:55 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cc4b29a-n\jmc.dll
2010-03-12 00:55 . 2010-03-12 00:55 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1cc4b29a-n\msvcr71.dll
2010-03-12 00:55 . 2010-03-12 00:55 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-48104c0c-n\decora-sse.dll
2010-03-12 00:55 . 2010-03-12 00:55 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-48104c0c-n\decora-d3d.dll
2010-03-11 12:38 . 2007-07-11 20:28 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2007-07-11 20:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2007-07-11 20:21 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2007-07-11 20:28 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 15:50 . 2010-03-08 15:49 -------- d-----w- c:\documents and settings\Owner\Application Data\SmartDraw
2010-03-08 15:49 . 2005-01-10 01:26 44064 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-08 00:59 . 2009-11-20 00:43 72080 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
2010-03-06 20:44 . 2010-03-06 20:44 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2010-03-06 02:22 . 2010-03-06 02:22 -------- d-----w- c:\documents and settings\Owner\Application Data\FileMaker
2010-03-06 02:22 . 2009-07-06 04:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-28 23:46 . 2010-02-28 23:46 -------- d-----w- c:\program files\Atomic Alarm Clock
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-02 04:10 6870864 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-02 04:10 743872 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe
2010-02-24 12:31 . 2007-07-11 20:25 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 05:47 . 2010-02-24 05:47 249856 ------w- c:\windows\Setup1.exe
2010-02-24 05:47 . 2010-02-24 05:47 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-23 05:49 . 2010-02-23 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2010-02-21 20:47 . 2009-09-16 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-17 16:57 . 2009-07-06 03:21 2063744 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 17:37 . 2007-07-11 20:26 2186880 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-12 04:47 . 2007-07-11 20:20 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2007-07-11 20:27 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-15_13.30.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 20:13 . 2010-04-17 20:13 16384 c:\windows\Temp\Perflib_Perfdata_190.dat
+ 2010-04-19 04:07 . 2010-04-19 04:07 21504 c:\windows\Installer\6d9c828.msi
+ 2009-12-22 02:09 . 2009-12-22 02:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 07:57 . 2009-12-22 07:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-22 02:02 . 2009-12-22 02:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-22 05:21 . 2009-12-22 05:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-22 05:37 . 2009-12-22 05:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-22 00:39 . 2009-12-22 00:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-22 00:27 . 2009-12-22 00:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-22 00:27 . 2009-12-22 00:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2010-04-18 11:10 . 2010-04-18 11:10 3262 c:\windows\Installer\{D61F7835-65DF-4662-9A71-CD51F8FC0CE4}\_3D3BEF138285965BE9C4E7.exe
+ 2010-04-18 11:10 . 2010-04-18 11:10 102400 c:\windows\Installer\3349fa1.msi
+ 2009-12-22 00:35 . 2009-12-22 00:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-22 02:05 . 2009-12-22 02:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-22 00:34 . 2009-12-22 00:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-10 01:18 . 2009-11-10 01:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-22 02:02 . 2009-12-22 02:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-22 00:43 . 2009-12-22 00:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 07:57 . 2009-12-22 07:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-22 00:15 . 2009-12-22 00:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-22 01:32 . 2009-12-22 01:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-22 01:15 . 2009-12-22 01:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2009-12-22 00:29 . 2009-12-22 00:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-22 05:31 . 2009-12-22 05:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\45ecec0.msp
+ 2009-12-22 05:21 . 2009-12-22 05:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-11-01 160592]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2009-04-27 1742848]
"ContactKeeper Birthday reminder"="c:\program files\ContactKeeper\ContactKeeper.exe" [2009-10-20 876544]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]
"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-09-24 338456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-12-06 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
KybtecWcCaller.exe [2006-12-3 6144]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2009-10-10 22486]
Microsoft Find Fast.lnk - c:\program files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE [1997-8-6 16304]
Office Startup.lnk - c:\program files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE [1997-8-6 16304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 14:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Namo\\WebEditor 5\\bin\\WebEditor.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/4/2009 8:53 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/4/2009 8:53 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/15/2010 9:15 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 9:16 AM 308064]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [11/9/2009 12:12 PM 25088]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Identities Editor - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-19 10:40:57
ComboFix-quarantined-files.txt 2010-04-19 15:40
ComboFix2.txt 2010-04-15 13:32

Pre-Run: 120,980,422,656 bytes free
Post-Run: 120,953,012,224 bytes free

- - End Of File - - 2EDBFE3077B0EE81F11318A35DFAC2CF

Edited by mrmahaffy, 19 April 2010 - 11:44 AM.


#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:29 AM

Posted 19 April 2010 - 02:11 PM

Hello,

Copying those files to the repair folder is probably a bad idea since if they were corrup in their original location, they will now also be corrupt in the repair folder which is of no use really. However I see you haven't installed the latest Service Pack (3) from Microsoft, try installing that with the other windows updates and that may resolve the issue. However don't do that until your PC is clean.

ESET Online Scan

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please post:
  • ESET log
  • MBAM log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 mrmahaffy

mrmahaffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Crockett, Texas
  • Local time:03:29 AM

Posted 20 April 2010 - 07:17 PM

Here are the next two scan reuslts Jat90.

==================================
ESET SCAN
==================================


C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP262\A0147873.exe a variant of Win32/Adware.Gamevance.AF application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP262\A0147874.dll a variant of Win32/Adware.Gamevance.AE application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP262\snapshot\MFEX-2.DAT a variant of Win32/Adware.Gamevance.AF application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP262\snapshot\MFEX-3.DAT a variant of Win32/Adware.Gamevance.AE application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP263\A0148068.exe a variant of Win32/Adware.Gamevance.AF application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP263\A0148074.exe a variant of Win32/Adware.Gamevance.AF application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP263\A0148076.dll a variant of Win32/Adware.Gamevance.AE application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156610.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156611.DLL Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156612.DLL a variant of Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156613.DLL a variant of Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156615.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156616.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0156830.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0156907.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157027.scr Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157029.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157030.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157031.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157032.DLL a variant of Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157035.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157036.SCR Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157037.DLL a variant of Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157038.DLL a variant of Win32/Toolbar.MyWebSearch.D application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157039.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157040.EXE Win32/Adware.FunWeb application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157043.DLL Win32/Toolbar.MyWebSearch.H application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157044.DLL a variant of Win32/Toolbar.MyWebSearch.I application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157045.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157046.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157047.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157049.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157051.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157052.DLL a variant of Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157055.EXE a variant of Win32/Toolbar.MyWebSearch.J application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157056.EXE a variant of Win32/Toolbar.MyWebSearch.I application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157058.DLL a variant of Win32/Toolbar.MyWebSearch.J application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157060.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157062.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157070.DLL Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157071.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157072.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP319\A0157168.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP319\A0157224.dll probably a variant of Win32/Adware.Gamevance.AG application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP320\A0157332.dll probably a variant of Win32/Adware.Gamevance.AE application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP326\A0158709.exe probably a variant of Win32/Statik application
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP338\A0162732.exe probably a variant of Win32/Agent trojan

================================
Malwarebytes' Anti-Malware 1.45
================================


www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/20/2010 7:08:06 PM
MalwareBytes Log

Scan type: Full scan (C:\|D:\|J:\|K:\|)
Objects scanned: 196687
Time elapsed: 55 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156611.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156613.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156615.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156616.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156617.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP311\A0156618.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0156830.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157054.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157072.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0156907.DLL (Adware.FunWeb) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157029.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157037.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157039.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157040.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157043.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157044.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157045.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157046.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157047.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157048.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157049.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157050.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157051.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157052.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157053.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157055.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157056.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157057.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157058.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157059.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157060.EXE (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157061.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157062.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157070.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157071.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP316\A0157073.DLL (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP319\A0157168.dll (Adware.MyWebSearch) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP262\A0147874.dll (Adware.GameVance) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP262\snapshot\MFEX-3.DAT (Adware.GameVance) -> No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP263\A0148076.dll (Adware.GameVance) -> No action taken.







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users