Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-Virus Popup: Resent to here


  • This topic is locked This topic is locked
10 replies to this topic

#1 bladekmaster

bladekmaster

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 23 May 2010 - 12:30 PM

http://www.bleepingcomputer.com/forums/t/317727/anti-virus-popup/

Above is my problem I had. I was sent here by a moderator. I had a pop-up of an Adware advertisement. The moderator then said after I posted various logs, that I have to come here to a malware removal team.

Here is the DDS log. The GMER log is in the other post.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Pop at 13:07:50.00 on Sun 05/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.98 [GMT -5:00]

AV: Security Guard *On-access scanning enabled* (Outdated) {D9F5A7E5-9344-4D97-8591-D5AF33FEBC90}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Security Guard *enabled* {C09EA8D4-9F04-4946-9E14-9B8B0E724F6F}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ooVoo\oovoo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Pop\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {ad6a11e7-2a5a-4c3b-a070-d97e72d85a35} - dedufaro.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [ooVoo.exe] "c:\program files\oovoo\oovoo.exe" /minimized
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [Bar] "c:\documents and settings\pop\local settings\temporary internet files\content.ie5\8f0mudtj\access[1].exe"
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
dRun: [Security Guard] "c:\documents and settings\all users\application data\575d0\SGd1f.exe" /s /d
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\pop\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://download-games.pogo.com/online2/pogo/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options -
IFEO: install.exe -
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-13 29808]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-2-27 1201640]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-12-21 28672]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [2008-12-25 3072]

=============== Created Last 30 ================

2010-05-23 18:06:18 0 ----a-w- c:\documents and settings\pop\defogger_reenable
2010-05-22 14:31:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-22 14:31:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-22 14:31:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 02:16:21 0 d-----w- C:\Cache
2010-05-16 19:52:51 0 d-----w- c:\program files\ABBYY FineReader 6.0
2010-05-16 19:52:51 0 d-----w- c:\program files\ABBYY FineReader 5.0 Sprint
2010-05-16 19:51:42 0 d-----w- c:\program files\FaxTools
2010-05-16 19:48:02 76 ----a-w- c:\windows\dellstat.ini
2010-05-16 19:46:09 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-05-16 19:46:09 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-16 19:46:03 983107 ----a-w- c:\windows\system32\LXCZGF.DLL
2010-05-16 19:46:03 69632 ----a-w- c:\windows\system32\lxczscin.dll
2010-05-16 19:46:03 356352 ----a-w- c:\windows\system32\LXCZUTIL.DLL
2010-05-16 19:46:02 57344 ----a-w- c:\windows\system32\lxczcinf.dll
2010-05-16 19:46:02 49152 ----a-w- c:\windows\system32\lxczcoin.dll
2010-05-16 19:46:02 270 ----a-w- c:\windows\system32\lxczcoin.ini
2010-05-16 19:45:57 458752 ----a-w- c:\windows\system32\LXCZJSWR.DLL
2010-05-16 19:45:56 0 d-----w- c:\program files\Lexmark 1200 Series
2010-05-16 19:43:26 299520 ----a-w- c:\windows\uninst.exe
2010-05-12 22:12:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Musicnotes
2010-05-12 22:11:05 0 d-----w- c:\docume~1\pop\applic~1\Sibelius Software
2010-05-12 22:09:40 0 d-----w- c:\program files\Musicnotes
2010-05-09 03:57:18 0 d-----w- c:\program files\Runes of Magic
2010-05-08 23:26:35 0 d-----w- c:\docume~1\pop\applic~1\FOG Downloader
2010-05-08 22:48:47 0 ----a-w- c:\documents and settings\pop\jagex__preferences3.dat
2010-05-08 22:48:46 75 ----a-w- c:\documents and settings\pop\jagex_runescape_preferences2.dat
2010-05-08 22:47:15 41 ----a-w- c:\documents and settings\pop\jagex_runescape_preferences.dat
2010-05-08 22:46:48 0 d-----w- c:\windows\.jagex_cache_32
2010-05-08 21:54:37 0 ----a-w- c:\windows\system32\drivers\SET667.tmp
2010-05-07 21:57:56 0 d-----w- c:\program files\Buena Vista Interactive
2010-05-07 02:09:32 313 ----a-w- c:\windows\EReg515.dat
2010-05-07 02:06:54 1372 ----a-w- c:\windows\disney.ini
2010-04-25 04:15:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2010-04-24 23:17:14 0 d-----w- c:\program files\common files\Blizzard Entertainment

==================== Find3M ====================

2010-05-14 10:29:54 5822 ----a-w- c:\docume~1\pop\applic~1\wklnhst.dat
2010-05-13 04:26:44 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-12 22:15:28 58548 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-05 13:04:24 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-06 04:22:37 2713 --sh--w- c:\windows\system32\kazokizi.exe
2010-04-05 02:37:02 2713 --sh--w- c:\windows\system32\gilefede.exe
2010-04-04 14:35:57 2713 --sh--w- c:\windows\system32\modubelo.exe
2010-04-03 03:29:43 2713 --sh--w- c:\windows\system32\ronurogo.exe
2010-04-02 03:07:17 2713 --sh--w- c:\windows\system32\tilayuda.exe
2010-03-25 10:25:54 2713 --sh--w- c:\windows\system32\batiweja.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 16:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-05-30 15:46:52 56 --sh--r- c:\windows\system32\8E5818C53D.sys
2009-05-30 15:46:53 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-18 23:30:44 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081820090819\index.dat

============= FINISH: 13:09:15.71 ===============


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 AM

Posted 23 May 2010 - 12:58 PM

Hi bladekmaster,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 23 May 2010 - 01:20 PM

I can't get on the Internet. My task bar is grey and not blue. There must have been some change. What do I do to go on the Internet. I am using my iPod... I tried to go into safe mode but the same result is happening.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 AM

Posted 23 May 2010 - 01:33 PM

Can you download the tools to transfer it to the infected computer?

#5 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 23 May 2010 - 02:47 PM

Sorry, nevermind. It was something with my modem.
Here is the Log.


ComboFix 10-05-23.01 - Pop 05/23/2010 14:15:50.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.263 [GMT -5:00]
Running from: c:\documents and settings\Pop\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nessa\Application Data\Microsoft\HTML Help\hh.dat
c:\documents and settings\Pop\Application Data\Microsoft\HTML Help\hh.dat
c:\documents and settings\Pop\Local Settings\Temporary Internet Files\0p0de3oQ.jpg
c:\documents and settings\Pop\Local Settings\Temporary Internet Files\8qN3G15Lc.jpg
c:\documents and settings\Pop\Local Settings\Temporary Internet Files\ewI86KBX0.jpg
c:\documents and settings\Pop\Local Settings\Temporary Internet Files\G5x5kD.jpg
c:\windows\system32\batiweja.exe
c:\windows\system32\config\systemprofile\Application Data\Microsoft\dtPaper
c:\windows\system32\config\systemprofile\Application Data\Microsoft\dtPaper\1.html
c:\windows\system32\config\systemprofile\Application Data\Microsoft\dtPaper\cfg.msg
c:\windows\system32\config\systemprofile\Application Data\Microsoft\dtPaper\tmp.bmp
c:\windows\system32\gilefede.exe
c:\windows\system32\kazokizi.exe
c:\windows\system32\modubelo.exe
c:\windows\system32\ronurogo.exe
c:\windows\system32\tilayuda.exe
c:\windows\Tasks.\eqipmwod.job
c:\windows\Tasks.\lonbieyi.job
c:\windows\Tasks.\ppakyujb.job
c:\windows\Tasks.\eqipmwod.job . . . . failed to delete
c:\windows\Tasks.\lonbieyi.job . . . . failed to delete
c:\windows\Tasks.\ppakyujb.job . . . . failed to delete

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-22 14:31 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-22 14:31 . 2010-05-22 14:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 14:31 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 02:16 . 2010-05-19 02:16 -------- d-----w- C:\Cache
2010-05-19 01:15 . 2010-05-22 14:52 -------- d-----w- c:\documents and settings\Pop\Local Settings\Application Data\juiedycoh
2010-05-16 19:52 . 2010-05-16 19:53 -------- d-----w- c:\program files\ABBYY FineReader 5.0 Sprint
2010-05-16 19:52 . 2010-05-16 19:52 -------- d-----w- c:\program files\ABBYY FineReader 6.0
2010-05-16 19:52 . 2002-05-14 21:50 11264 ------w- c:\windows\system32\Spool\prtprocs\w32x86\wfxprint2000.dll
2010-05-16 19:51 . 2010-05-16 19:52 -------- d-----w- c:\program files\FaxTools
2010-05-16 19:51 . 2010-05-16 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-05-16 19:46 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-05-16 19:46 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-16 19:46 . 2006-07-13 05:45 69632 ----a-w- c:\windows\system32\lxczscin.dll
2010-05-16 19:46 . 2006-07-13 05:17 356352 ----a-w- c:\windows\system32\LXCZUTIL.DLL
2010-05-16 19:46 . 2006-01-12 04:32 983107 ----a-w- c:\windows\system32\LXCZGF.DLL
2010-05-16 19:46 . 2006-07-13 05:45 57344 ----a-w- c:\windows\system32\lxczcinf.dll
2010-05-16 19:46 . 2006-07-13 05:45 49152 ----a-w- c:\windows\system32\lxczcoin.dll
2010-05-16 19:45 . 2006-07-13 05:22 458752 ----a-w- c:\windows\system32\LXCZJSWR.DLL
2010-05-16 19:45 . 2010-05-16 19:47 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-05-16 19:43 . 1997-04-09 01:08 299520 ----a-w- c:\windows\uninst.exe
2010-05-12 22:12 . 2010-05-13 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-05-12 22:11 . 2010-05-12 22:11 -------- d-----w- c:\documents and settings\Pop\Application Data\Sibelius Software
2010-05-12 22:09 . 2010-05-12 22:10 -------- d-----w- c:\program files\Musicnotes
2010-05-09 03:57 . 2010-05-13 00:37 -------- d-----w- c:\program files\Runes of Magic
2010-05-08 23:26 . 2010-05-08 23:26 -------- d-----w- c:\documents and settings\Pop\Application Data\FOG Downloader
2010-05-08 22:48 . 2010-05-08 22:48 0 ----a-w- c:\documents and settings\Pop\jagex__preferences3.dat
2010-05-08 22:48 . 2010-05-08 22:51 75 ----a-w- c:\documents and settings\Pop\jagex_runescape_preferences2.dat
2010-05-08 22:47 . 2010-05-08 22:49 41 ----a-w- c:\documents and settings\Pop\jagex_runescape_preferences.dat
2010-05-08 22:46 . 2010-05-08 22:46 -------- d-----w- c:\windows\.jagex_cache_32
2010-05-07 21:57 . 2010-05-07 21:57 -------- d-----w- c:\program files\Buena Vista Interactive
2010-05-07 02:09 . 2010-05-07 21:59 313 ----a-w- c:\windows\EReg515.dat
2010-04-25 04:15 . 2010-04-25 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-04-24 23:21 . 2010-04-24 23:21 -------- d-----w- c:\documents and settings\Pop\Local Settings\Application Data\Blizzard Entertainment
2010-04-24 23:17 . 2010-05-10 12:27 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 18:00 . 2009-04-06 22:14 -------- d-----w- c:\documents and settings\Nessa\Application Data\LimeWire
2010-05-22 17:00 . 2009-04-07 01:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 11:07 . 2009-03-10 23:21 -------- d-----w- c:\documents and settings\Pop\Application Data\LimeWire
2010-05-16 19:51 . 2005-12-15 06:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-14 10:29 . 2009-03-03 21:49 5822 ----a-w- c:\documents and settings\Pop\Application Data\wklnhst.dat
2010-05-13 11:54 . 2009-03-06 01:46 87848 -c--a-w- c:\documents and settings\Nessa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-13 04:26 . 2010-04-02 18:57 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-12 22:15 . 2009-03-03 01:31 58548 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-12 22:12 . 2009-02-28 02:46 87848 -c--a-w- c:\documents and settings\Pop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-08 22:32 . 2010-02-18 22:29 -------- d-----w- c:\program files\UltraISO
2010-05-08 21:54 . 2010-05-08 21:54 0 ----a-w- c:\windows\system32\drivers\SET667.tmp
2010-04-17 21:16 . 2010-04-17 21:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-04-17 21:10 . 2010-04-17 21:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-04-16 00:28 . 2010-04-13 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 21:23 . 2010-04-14 21:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-13 21:39 . 2010-04-13 21:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-09 02:28 . 2010-04-09 02:28 -------- d-----w- c:\documents and settings\Pop\Application Data\ooVoo Details
2010-04-09 02:28 . 2010-04-09 02:27 -------- d-----w- c:\program files\ooVoo
2010-04-09 02:07 . 2009-08-26 05:21 -------- d-----w- c:\program files\Yahoo!
2010-04-09 02:06 . 2010-02-22 00:42 -------- d-----w- c:\program files\WinSCP3
2010-04-09 02:02 . 2009-06-25 05:12 -------- d-----w- c:\program files\TuneUp Utilities 2009
2010-04-09 01:58 . 2010-01-18 01:59 -------- d-----w- c:\program files\NCH Software
2010-04-07 19:03 . 2010-04-07 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\575d0
2010-04-07 14:33 . 2010-04-07 14:33 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGGQCTMIAWD
2010-03-24 03:51 . 2009-02-28 03:10 164 -c--a-w- c:\windows\install.dat
2010-03-10 06:15 . 2005-08-16 10:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 01:29 . 2010-03-09 01:29 50354 ----a-w- c:\documents and settings\Pop\Application Data\Facebook\uninstall.exe
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Pop\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Pop\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-12-15 05:41 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-30 15:46 . 2009-03-05 01:32 56 --sh--r- c:\windows\system32\8E5818C53D.sys
2009-05-30 15:46 . 2009-03-05 01:32 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 22:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 18:00 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-02-10 18784440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-15 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\Nessa\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58146:TCP"= 58146:TCP:Pando Media Booster
"58146:UDP"= 58146:UDP:Pando Media Booster
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/13/2009 6:09 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2/27/2009 10:13 PM 1201640]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [12/21/2008 7:06 PM 28672]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [12/25/2008 9:24 AM 3072]
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 22:50]

2010-05-19 c:\windows\Tasks\wrSpySweeper_L64A37F490B7B4CFCA79C9AE4ADD1D4E2.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 20:19]

2010-05-19 c:\windows\Tasks\wrSpySweeper_L64A37F490B7B4CFCA79C9AE4ADD1D4E2.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 20:19]

2010-05-17 c:\windows\Tasks\wrSpySweeper_LBD7ACB33B9E14D67BC24635F20BA724E.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 20:19]

2010-05-17 c:\windows\Tasks\wrSpySweeper_LBD7ACB33B9E14D67BC24635F20BA724E.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Pop\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{ad6a11e7-2a5a-4c3b-a070-d97e72d85a35} - dedufaro.dll
HKU-Default-Run-Security Guard - c:\documents and settings\All Users\Application Data\575d0\SGd1f.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 14:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,73,1e,53,1e,32,92,47,b1,9c,7a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,73,1e,53,1e,32,92,47,b1,9c,7a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3872)
c:\windows\system32\WININET.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-05-23 14:43:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-23 19:43
ComboFix2.txt 2009-08-10 04:28

Pre-Run: 26,166,034,432 bytes free
Post-Run: 28,195,274,752 bytes free

- - End Of File - - 382234A36DC8F67D1AA54BA991496AE1


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 AM

Posted 23 May 2010 - 03:11 PM

ComboFix took care of the rootkit and many others.
  1. Optional Recommendation:I see on the log Ask Toolbar is installed on your computer.

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar or Vuze toolbar

    Also remove the folder in bold (if present) only after uninstalling Ask Toolbar:
    C:\Program Files\AskBar
    c:\program files\askbardis


  2. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    SecCenter::
    AV: Security Guard *On-access scanning enabled* (Outdated) {D9F5A7E5-9344-4D97-8591-D5AF33FEBC90}
    FW: Security Guard *enabled* {C09EA8D4-9F04-4946-9E14-9B8B0E724F6F}
    Folder::
    c:\documents and settings\All Users\Application Data\575d0
    c:\documents and settings\Pop\Local Settings\Application Data\juiedycoh
    Reglock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    DirLook::
    c:\windows\tasks
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:0
    "FirewallOverride"=dword:0
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:1
    "DisableNotifications"=dword:0


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#7 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 23 May 2010 - 03:56 PM

omboFix 10-05-23.03 - Pop 05/23/2010 15:42:50.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.214 [GMT -5:00]
Running from: c:\documents and settings\Pop\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pop\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\575d0
c:\documents and settings\All Users\Application Data\575d0\SGD.ico
c:\documents and settings\Pop\Local Settings\Application Data\juiedycoh

.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-22 14:31 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-22 14:31 . 2010-05-22 14:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 14:31 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 02:16 . 2010-05-19 02:16 -------- d-----w- C:\Cache
2010-05-16 19:52 . 2010-05-16 19:53 -------- d-----w- c:\program files\ABBYY FineReader 5.0 Sprint
2010-05-16 19:52 . 2010-05-16 19:52 -------- d-----w- c:\program files\ABBYY FineReader 6.0
2010-05-16 19:52 . 2002-05-14 21:50 11264 ------w- c:\windows\system32\Spool\prtprocs\w32x86\wfxprint2000.dll
2010-05-16 19:51 . 2010-05-16 19:52 -------- d-----w- c:\program files\FaxTools
2010-05-16 19:51 . 2010-05-16 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-05-16 19:46 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-05-16 19:46 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-16 19:46 . 2006-07-13 05:45 69632 ----a-w- c:\windows\system32\lxczscin.dll
2010-05-16 19:46 . 2006-07-13 05:17 356352 ----a-w- c:\windows\system32\LXCZUTIL.DLL
2010-05-16 19:46 . 2006-01-12 04:32 983107 ----a-w- c:\windows\system32\LXCZGF.DLL
2010-05-16 19:46 . 2006-07-13 05:45 57344 ----a-w- c:\windows\system32\lxczcinf.dll
2010-05-16 19:46 . 2006-07-13 05:45 49152 ----a-w- c:\windows\system32\lxczcoin.dll
2010-05-16 19:45 . 2006-07-13 05:22 458752 ----a-w- c:\windows\system32\LXCZJSWR.DLL
2010-05-16 19:45 . 2010-05-16 19:47 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-05-16 19:43 . 1997-04-09 01:08 299520 ----a-w- c:\windows\uninst.exe
2010-05-12 22:12 . 2010-05-13 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-05-12 22:11 . 2010-05-12 22:11 -------- d-----w- c:\documents and settings\Pop\Application Data\Sibelius Software
2010-05-12 22:09 . 2010-05-12 22:10 -------- d-----w- c:\program files\Musicnotes
2010-05-09 03:57 . 2010-05-13 00:37 -------- d-----w- c:\program files\Runes of Magic
2010-05-08 23:26 . 2010-05-08 23:26 -------- d-----w- c:\documents and settings\Pop\Application Data\FOG Downloader
2010-05-08 22:48 . 2010-05-08 22:48 0 ----a-w- c:\documents and settings\Pop\jagex__preferences3.dat
2010-05-08 22:48 . 2010-05-08 22:51 75 ----a-w- c:\documents and settings\Pop\jagex_runescape_preferences2.dat
2010-05-08 22:47 . 2010-05-08 22:49 41 ----a-w- c:\documents and settings\Pop\jagex_runescape_preferences.dat
2010-05-08 22:46 . 2010-05-08 22:46 -------- d-----w- c:\windows\.jagex_cache_32
2010-05-07 21:57 . 2010-05-07 21:57 -------- d-----w- c:\program files\Buena Vista Interactive
2010-05-07 02:09 . 2010-05-07 21:59 313 ----a-w- c:\windows\EReg515.dat
2010-04-25 04:15 . 2010-04-25 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-04-24 23:21 . 2010-04-24 23:21 -------- d-----w- c:\documents and settings\Pop\Local Settings\Application Data\Blizzard Entertainment
2010-04-24 23:17 . 2010-05-10 12:27 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 18:00 . 2009-04-06 22:14 -------- d-----w- c:\documents and settings\Nessa\Application Data\LimeWire
2010-05-22 17:00 . 2009-04-07 01:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 11:07 . 2009-03-10 23:21 -------- d-----w- c:\documents and settings\Pop\Application Data\LimeWire
2010-05-16 19:51 . 2005-12-15 06:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-14 10:29 . 2009-03-03 21:49 5822 ----a-w- c:\documents and settings\Pop\Application Data\wklnhst.dat
2010-05-13 11:54 . 2009-03-06 01:46 87848 -c--a-w- c:\documents and settings\Nessa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-13 04:26 . 2010-04-02 18:57 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-12 22:15 . 2009-03-03 01:31 58548 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-12 22:12 . 2009-02-28 02:46 87848 -c--a-w- c:\documents and settings\Pop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-08 22:32 . 2010-02-18 22:29 -------- d-----w- c:\program files\UltraISO
2010-05-08 21:54 . 2010-05-08 21:54 0 ----a-w- c:\windows\system32\drivers\SET667.tmp
2010-04-17 21:16 . 2010-04-17 21:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-04-17 21:10 . 2010-04-17 21:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-04-16 00:28 . 2010-04-13 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 21:23 . 2010-04-14 21:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-13 21:39 . 2010-04-13 21:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-09 02:28 . 2010-04-09 02:28 -------- d-----w- c:\documents and settings\Pop\Application Data\ooVoo Details
2010-04-09 02:28 . 2010-04-09 02:27 -------- d-----w- c:\program files\ooVoo
2010-04-09 02:07 . 2009-08-26 05:21 -------- d-----w- c:\program files\Yahoo!
2010-04-09 02:06 . 2010-02-22 00:42 -------- d-----w- c:\program files\WinSCP3
2010-04-09 02:02 . 2009-06-25 05:12 -------- d-----w- c:\program files\TuneUp Utilities 2009
2010-04-09 01:58 . 2010-01-18 01:59 -------- d-----w- c:\program files\NCH Software
2010-04-07 14:33 . 2010-04-07 14:33 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGGQCTMIAWD
2010-03-24 03:51 . 2009-02-28 03:10 164 -c--a-w- c:\windows\install.dat
2010-03-10 06:15 . 2005-08-16 10:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 01:29 . 2010-03-09 01:29 50354 ----a-w- c:\documents and settings\Pop\Application Data\Facebook\uninstall.exe
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Pop\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Pop\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-12-15 05:41 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-30 15:46 . 2009-03-05 01:32 56 --sh--r- c:\windows\system32\8E5818C53D.sys
2009-05-30 15:46 . 2009-03-05 01:32 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\tasks ----

2010-03-25 10:25 . 2010-05-19 02:00 1590 ----a-w- c:\windows\tasks\wrSpySweeper_L64A37F490B7B4CFCA79C9AE4ADD1D4E2.job
2009-11-07 22:48 . 2010-05-23 20:01 230 ----a-w- c:\windows\tasks\Scheduled Update for Ask Toolbar.job
2009-03-03 01:29 . 2010-04-02 21:10 284 ----a-w- c:\windows\tasks\AppleSoftwareUpdate.job
2005-08-16 10:49 . 2010-05-23 20:39 6 ---ha-w- c:\windows\tasks\SA.DAT
2005-08-16 10:18 . 2004-08-10 11:00 65 ---h--r- c:\windows\tasks\desktop.ini


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 22:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 18:00 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-02-10 18784440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-15 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\Nessa\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58146:TCP"= 58146:TCP:Pando Media Booster
"58146:UDP"= 58146:UDP:Pando Media Booster
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/13/2009 6:09 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2/27/2009 10:13 PM 1201640]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [12/21/2008 7:06 PM 28672]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [12/25/2008 9:24 AM 3072]
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 22:50]

2010-05-19 c:\windows\Tasks\wrSpySweeper_L64A37F490B7B4CFCA79C9AE4ADD1D4E2.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 20:19]

2010-05-19 c:\windows\Tasks\wrSpySweeper_L64A37F490B7B4CFCA79C9AE4ADD1D4E2.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Pop\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-05-23 15:53:19
ComboFix-quarantined-files.txt 2010-05-23 20:53
ComboFix2.txt 2010-05-23 19:43
ComboFix3.txt 2009-08-10 04:28

Pre-Run: 28,202,029,056 bytes free
Post-Run: 28,184,748,032 bytes free

- - End Of File - - 0BDE950044E46D9AD14D5CE05A486282


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 AM

Posted 23 May 2010 - 04:04 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. At last tell me how is your computer running now.


#9 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 23 May 2010 - 05:15 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4134

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/23/2010 5:14:41 PM
mbam-log-2010-05-23 (17-14-41).txt

Scan type: Quick scan
Objects scanned: 138696
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


My computer is running fine now. =) Thank yoooouuuu

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 AM

Posted 23 May 2010 - 05:30 PM

You are welcome. smile.gif

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. Also remove any tool or log we used from your computer.

Happy Surfing. smile.gif

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 AM

Posted 30 May 2010 - 05:53 AM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users