Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser re-direct


  • This topic is locked This topic is locked
16 replies to this topic

#1 Randalltex

Randalltex

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 19 June 2010 - 10:12 AM

My Browser (Firefox) keeps redirecting me and/or opening irrelevant web pages.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-19 11:09:37
Windows 5.1.2600 Service Pack 3
Running: zml5lqu5.exe; Driver: C:\DOCUME~1\Randy\LOCALS~1\Temp\fwrcipob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F08 805047A4 4 Bytes CALL D2F4EE9A
.text ntkrnlpa.exe!ZwCallbackReturn + 2F18 805047B4 4 Bytes CALL E158EEAA
.text ntkrnlpa.exe!ZwCallbackReturn + 2FAC 80504848 4 Bytes CALL 4144EF3E
.text ntkrnlpa.exe!ZwCallbackReturn + 2FC4 80504860 4 Bytes JMP C8E4EF56
.text ntkrnlpa.exe!ZwCallbackReturn + 2FCC 80504868 4 Bytes JMP F4F0EF5E
.text ...
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6C44000, 0x1B85E6, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[892] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[892] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\explorer.exe[892] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1624] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F2000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2408] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0125000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2408] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0126000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2408] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0124000C

---- EOF - GMER 1.0.15 ----

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Randalltex

Randalltex
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 19 June 2010 - 11:12 AM

Point taken. All i did was run a scan , and unless there's any unforseen automatic action taken by the program i didn't see any harm in doing so. To quote my problem again " My Browser (Firefox) keeps redirecting me and/or opening irrelevant web pages". Is there more you need to know ?

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:27 AM

Posted 19 June 2010 - 11:40 PM

Hello Randalltex and welcome.gif to BleepingComputer.

Let's see if we can nail this thing.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 Randalltex

Randalltex
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 June 2010 - 05:28 AM

Thnx for your help. Here's my log file.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4219

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/21/2010 6:25:08 AM
mbam-log-2010-06-21 (06-25-08).txt

Scan type: Quick scan
Objects scanned: 154185
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nmklo.dll (Worm.Mariofev) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appiuat_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\LocalService (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\nmklo.dll (Spyware.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\cooper.mine (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\329.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\330.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\331.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\332.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\333.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\334.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\335.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\336.music4.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h7t.wt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgtd.ruy (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Laurie\Local Settings\Application Data\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:27 AM

Posted 21 June 2010 - 03:49 PM

Hello.

Please reboot the computer, then perform another Malwarebytes scan, just as you did before. We need to make sure everything stayed gone

If the scan detects anything, please post the log for my review. If it doesn't, no need to post the log, just let me know it was clean.

~Blade


In your next reply, please include the following:
Malwarebytes log (if malware detected)
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 Randalltex

Randalltex
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 21 June 2010 - 09:23 PM

It was clean , but still opening up or redirecting my browser less frequently than before my original scan. In the log file MBAM says my browser is IE. Although i have IE , Firefox is my default , and i only use IE for system updates and MS "friendly" websites.

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:27 AM

Posted 22 June 2010 - 12:05 AM

Hmm. . . okay. . . seems we didn't get everything.

Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, log in under the account that you normally use; do NOT log in under the account titled "Admin" or "Administrator" unless this account is the one used normally.

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

~Blade


In your next reply, please include the following:
SUPERAntiSpyware Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 Randalltex

Randalltex
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 23 June 2010 - 05:20 AM

These issues were successfully fixed according to SAS. I have had 1 redirect since. It seems i need to find the recurring source of this infection. I am going to run another scan now but i am off to work for 8 hrs. I will repost results later.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/22/2010 at 07:38 PM

Application Version : 4.39.1002

Core Rules Database Version : 5106
Trace Rules Database Version: 2918

Scan type : Complete Scan
Total Scan Time : 02:06:31

Memory items scanned : 275
Memory threats detected : 0
Registry items scanned : 6976
Registry threats detected : 9
File items scanned : 166236
File threats detected : 168

Trojan.DNSChanger-Codec
HKLM\Software\1
HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\9
HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5

Malware.Trace
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL



#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:27 AM

Posted 25 June 2010 - 11:21 PM

Hello.

Sorry for the delay.

I'm shifting this topic to the specialized malware forum for advanced removal routines.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade


In your next reply, please include the following:
DDS.txt
Attach.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Randalltex

Randalltex
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 11 July 2010 - 09:40 AM

Sorry for the delay. I was called out of Province for work. Your help is appreciated Blade. Here are the requested DDS log files.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Randy at 10:28:28.00 on Sun 07/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.122 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Tools Firewall Plus\FWService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Randy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.190.19
uInternet Settings,ProxyOverride = 127.0.0.1
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIOb1.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OneRiot IE Statusbar BHO: {f28d74ec-b064-4402-926d-e00687233421} - c:\program files\oneriot\browser add-ons\IEStatusbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: Toolbar Powered by OneRiot: {9516eb1c-ac77-492d-8fd6-a05afac9ea6e} - c:\program files\oneriot\browser add-ons\IEToolbar.dll
TB: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIOb1.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com\www.update
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228866841859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\WINDOW scecli

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-28 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-28 242896]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-6-18 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-28 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-28 308064]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-6-18 88040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-6-18 818432]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-6-18 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-6-18 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-6-18 115216]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-28 430152]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2010-6-17 3567]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
S3 RDID1076;BOSS GT-10;c:\windows\system32\drivers\Rdwm1076.sys [2010-1-13 173297]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2010-5-22 112592]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

=============== Created Last 30 ================

2010-07-09 12:32:55 0 d--h--w- C:\$AVG
2010-07-09 11:35:01 0 d-----w- c:\program files\OneRiot
2010-07-09 10:36:48 0 dc-h--w- c:\windows\ie8
2010-06-30 23:40:27 1015 ----a-r- C:\logFile.xsl
2010-06-30 23:39:19 0 d-----w- c:\program files\3ivx
2010-06-30 23:39:01 0 d-----w- c:\program files\Flip Video
2010-06-30 23:39:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Flip Video
2010-06-28 10:44:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-28 10:44:03 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-28 10:43:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-28 10:43:46 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-28 10:41:27 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-06-28 10:41:04 0 d-----w- c:\program files\AVG
2010-06-28 10:41:02 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-06-24 09:44:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 00:36:42 0 d-----w- c:\program files\Secunia
2010-06-22 21:20:33 0 d-----w- c:\docume~1\randy\applic~1\SUPERAntiSpyware.com
2010-06-22 21:20:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-22 21:20:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-21 20:52:52 0 d-----w- c:\program files\SequoiaView
2010-06-21 10:11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-21 10:11:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 10:11:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 14:56:45 62925 ----a-w- C:\BdUninstallTool2010.06.19-10.56.44.reg
2010-06-18 10:32:57 0 d-----w- c:\docume~1\randy\applic~1\PCToolsFirewallPlus
2010-06-18 10:30:32 7435 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.cat
2010-06-18 10:30:32 7399 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.cat
2010-06-18 10:30:32 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-06-18 10:30:32 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-06-18 10:30:32 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-06-18 10:30:30 7383 ----a-w- c:\windows\system32\drivers\pctplfw.cat
2010-06-18 10:30:30 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-06-18 10:30:28 0 d-----w- c:\program files\PC Tools Firewall Plus
2010-06-18 10:26:35 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-06-18 10:26:35 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-18 10:26:32 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-18 10:26:32 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-06-18 10:26:32 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-06-18 10:26:32 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-18 10:26:12 0 d-----w- c:\program files\common files\PC Tools
2010-06-17 12:44:02 0 d-----w- c:\docume~1\randy\applic~1\Safer Networking
2010-06-17 11:11:01 3567 ----a-w- c:\windows\system32\drivers\PortTalk.sys
2010-06-17 11:08:05 0 d-----w- c:\windows\system32\CatRoot2
2010-06-15 16:29:12 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-06-12 13:35:37 0 d-----w- c:\documents and settings\randy\DoctorWeb
2010-06-12 11:32:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader

==================== Find3M ====================

2010-07-09 16:49:40 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 16:29:11 578560 ----a-w- c:\windows\system32\user32.DLL
2010-06-06 12:08:16 249592 ----a-w- c:\windows\system32\cssdll32.dll
2010-06-01 21:55:15 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-28 11:04:52 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-13 22:05:40 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-05-10 16:57:20 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-10 16:57:20 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-03 07:09:06 5077718 ----a-w- c:\program files\tfbl.db4
2010-04-03 07:08:56 576796 ----a-w- c:\program files\tfwl.db5
2010-04-03 07:08:45 65133 ----a-w- c:\program files\Statistics.xml
2010-04-03 07:08:45 4284 ----a-w- c:\program files\Blogs.htm
2009-10-07 00:15:57 198184 ----a-w- c:\program files\Contig.exe
2002-06-04 09:06:04 65536 ----a-w- c:\windows\inf\copyinf.exe
2010-02-17 23:13:29 88 --sh--r- c:\windows\system32\3097360295.sys
2009-10-09 18:07:56 14601248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-09 18:07:56 568608 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 10:30:05.06 ===============

Attached Files



#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:27 AM

Posted 11 July 2010 - 04:44 PM

Hello

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Randalltex

Randalltex
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 12 July 2010 - 07:07 AM

Here is my ComboFix log.

ComboFix 10-07-11.03 - Randy 07/12/2010 7:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.123 [GMT -4:00]
Running from: c:\documents and settings\Randy\Desktop\renamed.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\3ff2f11a.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}
c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\3ff2f11a.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\chrome.manifest
c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\3ff2f11a.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\chrome\xulcache.jar
c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\3ff2f11a.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\defaults\preferences\xulcache.js
c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\3ff2f11a.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\install.rdf
c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\uynkev9e.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}
c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\uynkev9e.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\chrome.manifest
c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\uynkev9e.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\chrome\xulcache.jar
c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\uynkev9e.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\defaults\preferences\xulcache.js
c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\uynkev9e.default\extensions\{0300a406-b06e-44ad-80fa-9c91273793d3}\install.rdf
c:\documents and settings\Randy\System
c:\documents and settings\Randy\System\win_qs8.jqx
c:\windows\system32\logs

Infected copy of c:\windows\system32\drivers\symc8xx.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-12 10:50 . 2010-07-12 10:50 -------- d-----w- c:\program files\stock_images
2010-07-12 10:50 . 2010-07-12 10:50 -------- d-----w- c:\program files\en
2010-07-09 12:32 . 2010-07-09 12:32 -------- d-----w- C:\$AVG
2010-07-09 11:35 . 2010-07-09 11:35 -------- d-----w- c:\program files\OneRiot
2010-07-09 10:36 . 2010-07-09 10:37 -------- dc-h--w- c:\windows\ie8
2010-06-30 23:39 . 2010-06-30 23:39 -------- d-----w- c:\program files\3ivx
2010-06-30 23:39 . 2010-06-30 23:39 -------- d-----w- c:\program files\Flip Video
2010-06-30 23:39 . 2010-06-30 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-06-28 23:31 . 2010-06-28 23:31 -------- d-----w- c:\documents and settings\Randy\Local Settings\Application Data\AVG Security Toolbar
2010-06-28 10:44 . 2010-06-28 10:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-28 10:44 . 2010-06-28 17:16 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-28 10:43 . 2010-06-28 10:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-28 10:43 . 2010-06-28 17:15 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-28 10:43 . 2010-07-11 22:26 -------- d-----w- c:\windows\system32\drivers\Avg
2010-06-28 10:41 . 2010-07-02 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-06-28 10:41 . 2010-06-28 10:41 -------- d-----w- c:\program files\AVG
2010-06-28 10:41 . 2010-06-28 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-25 10:31 . 2010-06-25 10:31 -------- d-----w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com
2010-06-24 09:44 . 2010-06-24 09:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-24 09:41 . 2010-06-24 09:41 -------- d-----w- c:\program files\QuickTime
2010-06-24 09:41 . 2010-06-24 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-23 00:36 . 2010-06-23 00:36 -------- d-----w- c:\program files\Secunia
2010-06-22 21:20 . 2010-06-22 21:20 -------- d-----w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com
2010-06-22 21:20 . 2010-06-22 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-22 21:20 . 2010-07-10 12:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-21 20:52 . 2010-06-21 20:52 -------- d-----w- c:\program files\SequoiaView
2010-06-21 10:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-21 10:11 . 2010-06-21 10:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-21 10:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-19 14:56 . 2010-06-19 14:59 62925 ----a-w- C:\BdUninstallTool2010.06.19-10.56.44.reg
2010-06-18 10:32 . 2010-06-18 10:33 -------- d-----w- c:\documents and settings\Randy\Application Data\PCToolsFirewallPlus
2010-06-18 10:30 . 2010-01-12 13:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-06-18 10:30 . 2010-01-07 15:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-06-18 10:30 . 2010-01-07 15:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-06-18 10:30 . 2010-01-13 12:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-06-18 10:30 . 2010-06-18 10:33 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-06-18 10:26 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-18 10:26 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-18 10:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-18 10:26 . 2010-06-18 10:30 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 12:44 . 2010-06-17 12:44 -------- d-----w- c:\documents and settings\Randy\Application Data\Safer Networking
2010-06-17 11:11 . 2002-01-12 21:30 3567 ----a-w- c:\windows\system32\drivers\PortTalk.sys
2010-06-17 11:08 . 2010-07-12 11:12 -------- d-----w- c:\windows\system32\CatRoot2
2010-06-16 14:57 . 2010-06-16 14:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-15 16:29 . 2010-07-12 11:21 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-06-12 13:35 . 2010-06-12 14:56 -------- d-----w- c:\documents and settings\Randy\DoctorWeb
2010-06-12 11:32 . 2010-06-14 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 11:28 . 2009-09-04 15:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-12 11:21 . 2008-12-09 02:56 578560 ----a-w- c:\windows\system32\user32.dll
2010-07-12 10:47 . 2010-06-01 19:32 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-11 23:58 . 2008-12-11 21:17 0 -c--a-w- c:\documents and settings\Joshua\Local Settings\Application Data\prvlcl.dat
2010-07-11 23:58 . 2008-12-09 19:43 0 -c--a-w- c:\documents and settings\Laurie\Local Settings\Application Data\prvlcl.dat
2010-07-11 13:18 . 2008-12-09 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-27 06:12 . 2010-03-20 13:57 -------- d-----w- c:\program files\CCleaner
2010-06-27 03:19 . 2010-04-17 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-25 10:34 . 2010-06-25 10:34 61440 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-77792a98-n\decora-sse.dll
2010-06-25 10:34 . 2010-06-25 10:34 503808 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215984fa-n\msvcp71.dll
2010-06-25 10:34 . 2010-06-25 10:34 499712 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215984fa-n\jmc.dll
2010-06-25 10:34 . 2010-06-25 10:34 12800 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-77792a98-n\decora-d3d.dll
2010-06-25 10:34 . 2010-06-25 10:34 348160 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215984fa-n\msvcr71.dll
2010-06-25 10:32 . 2010-06-25 10:32 63488 ----a-w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 10:32 . 2010-06-25 10:32 52224 ----a-w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-25 10:32 . 2010-06-25 10:32 117760 ----a-w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-25 10:00 . 2010-06-22 21:21 63488 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 10:00 . 2010-06-22 21:21 117760 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-24 09:58 . 2008-12-11 15:23 -------- d-----w- c:\program files\Common Files\Java
2010-06-24 09:54 . 2010-06-24 09:43 79488 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-24 09:54 . 2010-06-24 09:43 152576 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-24 09:45 . 2010-06-24 09:45 503808 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23d416ab-n\msvcp71.dll
2010-06-24 09:45 . 2010-06-24 09:45 499712 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23d416ab-n\jmc.dll
2010-06-24 09:45 . 2010-06-24 09:45 348160 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23d416ab-n\msvcr71.dll
2010-06-24 09:45 . 2010-06-24 09:45 61440 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1d37f502-n\decora-sse.dll
2010-06-24 09:45 . 2010-06-24 09:45 12800 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1d37f502-n\decora-d3d.dll
2010-06-23 00:36 . 2009-01-14 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-22 21:21 . 2010-06-22 21:21 52224 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-18 10:23 . 2010-06-06 12:07 -------- d-----w- c:\documents and settings\Randy\Application Data\Comodo
2010-06-18 10:23 . 2010-06-06 12:07 -------- d-----w- c:\program files\COMODO
2010-06-15 01:23 . 2009-07-16 03:06 -------- d-----w- c:\program files\DivX
2010-06-12 11:45 . 2010-05-22 10:08 -------- d-----w- c:\program files\PC Tools Security
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\AcrobatUpdater.exe
2010-06-06 14:06 . 2010-06-06 14:06 -------- d-----w- c:\documents and settings\Laurie\Application Data\Comodo
2010-06-06 12:08 . 2010-06-06 12:08 249592 ----a-w- c:\windows\system32\cssdll32.dll
2010-06-05 03:16 . 2009-02-04 11:57 -------- d-----w- c:\documents and settings\Randy\Application Data\Media Player Classic
2010-06-05 03:10 . 2008-12-09 17:00 -------- d-----w- c:\program files\IObit
2010-06-04 23:26 . 2010-06-04 23:26 -------- d-----w- c:\program files\GFI
2010-06-02 20:37 . 2010-05-24 13:18 -------- d-----w- c:\program files\W3i, LLC
2010-06-01 21:55 . 2010-02-17 23:13 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-01 19:32 . 2010-06-01 19:32 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-24 12:46 . 2008-12-09 19:35 69352 -c--a-w- c:\documents and settings\Laurie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 09:31 . 2008-12-09 16:19 -------- d-----w- c:\program files\Google
2010-05-22 00:24 . 2010-04-17 02:53 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-22 00:20 . 2009-07-16 03:06 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-22 00:20 . 2010-05-22 00:20 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-22 00:19 . 2010-05-21 23:59 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-22 00:18 . 2010-04-17 02:53 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-21 23:59 . 2010-05-21 23:59 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-05-18 09:51 . 2008-12-09 04:20 69352 -c--a-w- c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 11:21 . 2008-12-09 16:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-14 11:11 . 2010-03-27 11:38 -------- d-----w- c:\program files\SkyDownloader
2010-05-14 11:11 . 2009-01-12 13:36 -------- d-----w- c:\program files\Microsoft Works
2010-05-14 11:11 . 2008-12-15 13:30 -------- d-----w- c:\program files\Nero.Burning.Rom.6.0.Ultra.Edition.incl.keygen.&.serial
2010-05-14 11:11 . 2008-12-11 15:23 -------- d-----w- c:\program files\LimeWire
2010-05-14 11:11 . 2008-12-09 19:17 -------- d-----w- c:\program files\Windows Media Connect 2
2010-05-13 22:05 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-05-10 16:57 . 2010-05-22 10:11 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-10 16:57 . 2010-05-22 10:11 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-19 14:25 . 2010-07-01 12:18 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-04-03 07:09 . 2010-04-03 07:09 5077718 ----a-w- c:\program files\tfbl.db4
2010-04-03 07:08 . 2010-02-22 22:11 576796 ----a-w- c:\program files\tfwl.db5
2010-04-03 07:08 . 2010-02-22 22:11 65133 ----a-w- c:\program files\Statistics.xml
2010-04-03 07:08 . 2010-02-22 22:11 4284 ----a-w- c:\program files\Blogs.htm
2009-10-07 00:15 . 2008-10-01 00:33 198184 ----a-w- c:\program files\Contig.exe
2009-07-01 20:08 . 2010-07-12 10:50 538 ----a-w- c:\program files\gadget.gmanifest
2007-08-01 03:30 . 2010-07-12 10:50 632 ----a-w- c:\program files\icon_small.png
2007-08-01 03:29 . 2010-07-12 10:50 807 ----a-w- c:\program files\icon_large.png
2007-08-01 03:27 . 2010-07-12 10:50 468 ----a-w- c:\program files\details.xml
2007-08-01 03:17 . 2010-07-12 10:50 920 ----a-w- c:\program files\details.js
2007-08-01 03:08 . 2010-07-12 10:50 1603 ----a-w- c:\program files\main.js
2007-07-31 22:46 . 2010-07-12 10:50 2044 ----a-w- c:\program files\main.xml
2010-02-17 23:13 . 2010-02-17 23:13 88 --sh--r- c:\windows\system32\3097360295.sys
2009-10-09 18:07 . 2009-09-10 19:50 14601248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-09 18:07 . 2009-09-10 19:49 568608 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2010-03-14 22:08 2349080 ----a-w- c:\program files\IObitCom\tbIOb1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28D74EC-B064-4402-926D-E00687233421}]
2009-03-17 20:47 139024 ----a-w- c:\program files\OneRiot\Browser Add-ons\IEStatusbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\OneRiot\Browser Add-ons\IEToolbar.dll" [2009-03-17 143632]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIOb1.dll" [2010-03-14 2349080]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\OneRiot\Browser Add-ons\IEToolbar.dll" [2009-03-17 143632]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Randy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-27 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-28 2065248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-28 10:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-10-31 00:52 16200 ----a-w- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2003-09-16 01:00 270336 ----a-w- c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-05-20 19:46 28160 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-11 22:25 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-09 16:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=2 (0x2)
"RasMan"=3 (0x3)
"PrismXL"=2 (0x2)
"McrdSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"idsvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"FlipShare Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlcWzrd"=ALCWZRD.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"EPSON Stylus CX4200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
"Ad-Watch"=
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/28/2010 6:43 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/28/2010 6:44 AM 242896]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/18/2010 6:26 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/28/2010 6:41 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/28/2010 6:41 AM 308064]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [6/18/2010 6:26 AM 88040]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [6/18/2010 6:30 AM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [6/18/2010 6:30 AM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [6/18/2010 6:30 AM 115216]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [6/28/2010 6:41 AM 430152]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [6/17/2010 7:11 AM 3567]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [5/28/2010 7:04 AM 14896]
S3 RDID1076;BOSS GT-10;c:\windows\system32\drivers\Rdwm1076.sys [1/13/2010 11:30 AM 173297]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [5/22/2010 6:11 AM 112592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-09 16:23]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2789332191-1809762140-3017385989-1006Core.job
- c:\documents and settings\Randy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 11:44]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2789332191-1809762140-3017385989-1006UA.job
- c:\documents and settings\Randy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 11:44]

2010-07-12 c:\windows\Tasks\User_Feed_Synchronization-{8632BD51-831B-40AD-B8C2-C9B23EDD2E7C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-11 c:\windows\Tasks\User_Feed_Synchronization-{949DCA12-FADB-4B86-AC11-E345784B36BC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.190.19
uInternet Settings,ProxyOverride = 127.0.0.1
Trusted Zone: microsoft.com\www.update
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Corel Photo Downloader - c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe
MSConfigStartUp-ISTray - c:\program files\PC Tools Security\pctsTray.exe
MSConfigStartUp-SmartRAM - c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
MSConfigStartUp-Xpadder - c:\documents and settings\Randy\Desktop\Xpadder.exe
AddRemove-Audacity_is1 - c:\program files\Audacity\unins000.exe
AddRemove-Mozilla Firefox (3.6) - c:\program files\Mozilla Firefox\uninstall\helper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 07:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2789332191-1809762140-3017385989-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1968)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-12 07:34:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-12 11:34

Pre-Run: 73,026,756,608 bytes free
Post-Run: 72,991,145,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 57186AEDCB23D694D6A07B0992A4966D

Attached Files


Edited by Blade Zephon, 13 July 2010 - 07:45 PM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:27 AM

Posted 13 July 2010 - 07:47 PM

Hello.

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

DDS::
uInternet Settings,ProxyOverride =


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix log
How's the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Randalltex

Randalltex
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 15 July 2010 - 07:35 PM

Computers running better for sure. No recent re-directs. However , as you can see from my logs i have removed Firefox and replaced it with IE8. At least once a day IE opens and says it's not my default browser and would i like to make it default. i8 have done this 8 times this week. Also , i couldn't find a way to disable AVG completely before running my scan. Here's my log.

ComboFix 10-07-11.03 - Randy 07/15/2010 17:43:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.133 [GMT -4:00]
Running from: c:\documents and settings\Randy\Desktop\renamed.exe
Command switches used :: c:\documents and settings\Randy\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-14 10:04 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 22:16 . 2010-07-12 22:16 -------- d-----w- c:\documents and settings\Randy\Application Data\springlobby_updater
2010-07-12 22:15 . 2010-07-12 22:15 -------- d-----w- c:\documents and settings\Randy\Application Data\springlobby
2010-07-12 22:12 . 2010-07-12 22:12 -------- d-----w- c:\documents and settings\Randy\Application Data\springsettings
2010-07-12 22:12 . 2010-07-12 22:17 -------- d-----w- c:\program files\Spring
2010-07-12 21:39 . 2010-07-12 21:39 -------- d-----w- c:\documents and settings\Randy\Backup
2010-07-12 21:38 . 2010-07-12 21:38 -------- d-----w- c:\program files\Center Key Software
2010-07-12 16:16 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-12 10:50 . 2010-07-12 10:50 -------- d-----w- c:\program files\stock_images
2010-07-12 10:50 . 2010-07-12 10:50 -------- d-----w- c:\program files\en
2010-07-09 12:32 . 2010-07-09 12:32 -------- d-----w- C:\$AVG
2010-07-09 11:35 . 2010-07-09 11:35 -------- d-----w- c:\program files\OneRiot
2010-07-09 10:36 . 2010-07-09 10:37 -------- dc-h--w- c:\windows\ie8
2010-06-30 23:39 . 2010-06-30 23:39 -------- d-----w- c:\program files\3ivx
2010-06-30 23:39 . 2010-06-30 23:39 -------- d-----w- c:\program files\Flip Video
2010-06-30 23:39 . 2010-06-30 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-06-28 23:31 . 2010-06-28 23:31 -------- d-----w- c:\documents and settings\Randy\Local Settings\Application Data\AVG Security Toolbar
2010-06-28 10:44 . 2010-06-28 10:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-28 10:44 . 2010-06-28 17:16 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-28 10:43 . 2010-06-28 10:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-28 10:43 . 2010-06-28 17:15 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-28 10:43 . 2010-07-14 22:30 -------- d-----w- c:\windows\system32\drivers\Avg
2010-06-28 10:41 . 2010-07-02 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-06-28 10:41 . 2010-06-28 10:41 -------- d-----w- c:\program files\AVG
2010-06-28 10:41 . 2010-06-28 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-25 10:31 . 2010-06-25 10:31 -------- d-----w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com
2010-06-24 09:44 . 2010-06-24 09:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-24 09:41 . 2010-06-24 09:41 -------- d-----w- c:\program files\QuickTime
2010-06-24 09:41 . 2010-06-24 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-23 00:36 . 2010-06-23 00:36 -------- d-----w- c:\program files\Secunia
2010-06-22 21:20 . 2010-06-22 21:20 -------- d-----w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com
2010-06-22 21:20 . 2010-06-22 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-22 21:20 . 2010-07-10 12:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-22 21:13 . 2010-06-22 21:13 444416 ----a-w- c:\program files\TFC.exe
2010-06-21 20:52 . 2010-06-21 20:52 -------- d-----w- c:\program files\SequoiaView
2010-06-21 10:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-21 10:11 . 2010-06-21 10:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-21 10:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-19 14:56 . 2010-06-19 14:59 62925 ----a-w- C:\BdUninstallTool2010.06.19-10.56.44.reg
2010-06-18 10:32 . 2010-06-18 10:33 -------- d-----w- c:\documents and settings\Randy\Application Data\PCToolsFirewallPlus
2010-06-18 10:30 . 2010-01-12 13:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-06-18 10:30 . 2010-01-07 15:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-06-18 10:30 . 2010-01-07 15:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-06-18 10:30 . 2010-01-13 12:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-06-18 10:30 . 2010-06-18 10:33 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-06-18 10:26 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-18 10:26 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-18 10:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-18 10:26 . 2010-06-18 10:30 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 12:44 . 2010-06-17 12:44 -------- d-----w- c:\documents and settings\Randy\Application Data\Safer Networking
2010-06-17 11:11 . 2002-01-12 21:30 3567 ----a-w- c:\windows\system32\drivers\PortTalk.sys
2010-06-17 11:08 . 2010-07-15 21:43 -------- d-----w- c:\windows\system32\CatRoot2
2010-06-16 14:57 . 2010-06-16 14:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 21:35 . 2009-09-04 15:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-15 20:43 . 2010-07-15 20:43 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 20:43 . 2010-07-15 20:43 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 20:43 . 2010-07-15 20:43 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 20:43 . 2010-07-15 20:43 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 20:37 . 2008-12-09 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-15 10:43 . 2008-12-09 19:43 0 -c--a-w- c:\documents and settings\Laurie\Local Settings\Application Data\prvlcl.dat
2010-07-15 10:43 . 2008-12-11 21:17 0 -c--a-w- c:\documents and settings\Joshua\Local Settings\Application Data\prvlcl.dat
2010-07-12 11:21 . 2008-12-09 02:56 578560 ----a-w- c:\windows\system32\user32.dll
2010-07-12 10:47 . 2010-06-01 19:32 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-27 06:12 . 2010-03-20 13:57 -------- d-----w- c:\program files\CCleaner
2010-06-27 03:19 . 2010-04-17 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-25 10:34 . 2010-06-25 10:34 61440 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-77792a98-n\decora-sse.dll
2010-06-25 10:34 . 2010-06-25 10:34 503808 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215984fa-n\msvcp71.dll
2010-06-25 10:34 . 2010-06-25 10:34 499712 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215984fa-n\jmc.dll
2010-06-25 10:34 . 2010-06-25 10:34 12800 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-77792a98-n\decora-d3d.dll
2010-06-25 10:34 . 2010-06-25 10:34 348160 ----a-w- c:\documents and settings\Laurie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215984fa-n\msvcr71.dll
2010-06-25 10:32 . 2010-06-25 10:32 63488 ----a-w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 10:32 . 2010-06-25 10:32 52224 ----a-w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-25 10:32 . 2010-06-25 10:32 117760 ----a-w- c:\documents and settings\Laurie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-25 10:00 . 2010-06-22 21:21 63488 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 10:00 . 2010-06-22 21:21 117760 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-24 09:58 . 2008-12-11 15:23 -------- d-----w- c:\program files\Common Files\Java
2010-06-24 09:54 . 2010-06-24 09:43 79488 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-24 09:54 . 2010-06-24 09:43 152576 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-24 09:45 . 2010-06-24 09:45 503808 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23d416ab-n\msvcp71.dll
2010-06-24 09:45 . 2010-06-24 09:45 499712 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23d416ab-n\jmc.dll
2010-06-24 09:45 . 2010-06-24 09:45 348160 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23d416ab-n\msvcr71.dll
2010-06-24 09:45 . 2010-06-24 09:45 61440 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1d37f502-n\decora-sse.dll
2010-06-24 09:45 . 2010-06-24 09:45 12800 ----a-w- c:\documents and settings\Randy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1d37f502-n\decora-d3d.dll
2010-06-23 00:36 . 2009-01-14 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-22 21:21 . 2010-06-22 21:21 52224 ----a-w- c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-18 10:23 . 2010-06-06 12:07 -------- d-----w- c:\documents and settings\Randy\Application Data\Comodo
2010-06-18 10:23 . 2010-06-06 12:07 -------- d-----w- c:\program files\COMODO
2010-06-15 01:23 . 2009-07-16 03:06 -------- d-----w- c:\program files\DivX
2010-06-14 22:57 . 2010-06-12 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-14 14:31 . 2008-12-09 02:54 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 11:45 . 2010-05-22 10:08 -------- d-----w- c:\program files\PC Tools Security
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\19839\AcrobatUpdater.exe
2010-06-06 14:06 . 2010-06-06 14:06 -------- d-----w- c:\documents and settings\Laurie\Application Data\Comodo
2010-06-06 12:08 . 2010-06-06 12:08 249592 ----a-w- c:\windows\system32\cssdll32.dll
2010-06-05 03:16 . 2009-02-04 11:57 -------- d-----w- c:\documents and settings\Randy\Application Data\Media Player Classic
2010-06-05 03:10 . 2008-12-09 17:00 -------- d-----w- c:\program files\IObit
2010-06-04 23:26 . 2010-06-04 23:26 -------- d-----w- c:\program files\GFI
2010-06-02 20:37 . 2010-05-24 13:18 -------- d-----w- c:\program files\W3i, LLC
2010-06-01 21:55 . 2010-02-17 23:13 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-01 19:32 . 2010-06-01 19:32 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-24 12:46 . 2008-12-09 19:35 69352 -c--a-w- c:\documents and settings\Laurie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 09:31 . 2008-12-09 16:19 -------- d-----w- c:\program files\Google
2010-05-22 00:24 . 2010-04-17 02:53 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-22 00:20 . 2009-07-16 03:06 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-22 00:20 . 2010-05-22 00:20 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-22 00:20 . 2010-05-22 00:20 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-22 00:19 . 2010-05-21 23:59 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-22 00:18 . 2010-04-17 02:53 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-21 23:59 . 2010-05-21 23:59 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-21 23:58 . 2010-05-21 23:58 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-05-18 09:51 . 2008-12-09 04:20 69352 -c--a-w- c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-13 22:05 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-05-10 16:57 . 2010-05-22 10:11 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-10 16:57 . 2010-05-22 10:11 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-06 10:41 . 2008-12-09 02:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-12-09 02:57 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-12-09 02:53 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 14:25 . 2010-07-01 12:18 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-04-03 07:09 . 2010-04-03 07:09 5077718 ----a-w- c:\program files\tfbl.db4
2010-04-03 07:08 . 2010-02-22 22:11 576796 ----a-w- c:\program files\tfwl.db5
2010-04-03 07:08 . 2010-02-22 22:11 65133 ----a-w- c:\program files\Statistics.xml
2010-04-03 07:08 . 2010-02-22 22:11 4284 ----a-w- c:\program files\Blogs.htm
2009-10-07 00:15 . 2008-10-01 00:33 198184 ----a-w- c:\program files\Contig.exe
2009-07-01 20:08 . 2010-07-12 10:50 538 ----a-w- c:\program files\gadget.gmanifest
2007-08-01 03:30 . 2010-07-12 10:50 632 ----a-w- c:\program files\icon_small.png
2007-08-01 03:29 . 2010-07-12 10:50 807 ----a-w- c:\program files\icon_large.png
2007-08-01 03:27 . 2010-07-12 10:50 468 ----a-w- c:\program files\details.xml
2007-08-01 03:17 . 2010-07-12 10:50 920 ----a-w- c:\program files\details.js
2007-08-01 03:08 . 2010-07-12 10:50 1603 ----a-w- c:\program files\main.js
2007-07-31 22:46 . 2010-07-12 10:50 2044 ----a-w- c:\program files\main.xml
2010-02-17 23:13 . 2010-02-17 23:13 88 --sh--r- c:\windows\system32\3097360295.sys
2009-10-09 18:07 . 2009-09-10 19:50 14601248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-09 18:07 . 2009-09-10 19:49 568608 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2010-03-14 22:08 2349080 ----a-w- c:\program files\IObitCom\tbIOb1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28D74EC-B064-4402-926D-E00687233421}]
2009-03-17 20:47 139024 ----a-w- c:\program files\OneRiot\Browser Add-ons\IEStatusbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\OneRiot\Browser Add-ons\IEToolbar.dll" [2009-03-17 143632]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIOb1.dll" [2010-03-14 2349080]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\OneRiot\Browser Add-ons\IEToolbar.dll" [2009-03-17 143632]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Randy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-27 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-28 10:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-06-28 17:16 2065248 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-10-31 00:52 16200 ----a-w- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2003-09-16 01:00 270336 ----a-w- c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-05-20 19:46 28160 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-11 22:25 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-09 16:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=2 (0x2)
"RasMan"=3 (0x3)
"PrismXL"=2 (0x2)
"McrdSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"idsvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"FlipShare Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlcWzrd"=ALCWZRD.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"EPSON Stylus CX4200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
"Ad-Watch"=
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/28/2010 6:43 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/28/2010 6:44 AM 242896]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/18/2010 6:26 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/28/2010 6:41 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/28/2010 6:41 AM 308064]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [6/18/2010 6:26 AM 88040]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [6/18/2010 6:30 AM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [6/18/2010 6:30 AM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [6/18/2010 6:30 AM 115216]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [6/28/2010 6:41 AM 430152]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [6/17/2010 7:11 AM 3567]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [5/28/2010 7:04 AM 14896]
S3 RDID1076;BOSS GT-10;c:\windows\system32\drivers\Rdwm1076.sys [1/13/2010 11:30 AM 173297]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [5/22/2010 6:11 AM 112592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-09 16:23]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2789332191-1809762140-3017385989-1006Core.job
- c:\documents and settings\Randy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 11:44]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2789332191-1809762140-3017385989-1006UA.job
- c:\documents and settings\Randy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 11:44]

2010-07-15 c:\windows\Tasks\User_Feed_Synchronization-{8632BD51-831B-40AD-B8C2-C9B23EDD2E7C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-15 c:\windows\Tasks\User_Feed_Synchronization-{949DCA12-FADB-4B86-AC11-E345784B36BC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://hosting.conduit.com/Uninstall?toolbarid=&version=4.5.190.19
Trusted Zone: microsoft.com\www.update
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 17:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2789332191-1809762140-3017385989-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1632)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-15 18:04:23
ComboFix-quarantined-files.txt 2010-07-15 22:04
ComboFix2.txt 2010-07-12 11:34

Pre-Run: 65,183,412,224 bytes free
Post-Run: 65,444,032,512 bytes free

- - End Of File - - 894104211138C4E2E9B040378A7CD7B7

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:27 AM

Posted 16 July 2010 - 09:54 PM

Hi RandallTex.

That's an unusual issue with IE8. I'm assuming that each time it asks you if you'd like it to be the default browser, you choose yes. First thing I would try is going into IE settings and looking for an option for IE to be the default browser. There should also be an option to prevent it from asking you this.

***************************************************

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

~Blade


In your next reply, please include the following:
ESET Online Scan log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users