Search hijack - links from google going to supersearchweb.net

Hello,

I've posted in another thread (in this forum) before I read the instructions, but now went ahead with all the requested scans and posting the logs here. Your help is greatly appreciated, thank you!!

Here is the link for the other thread post:

http://www.bleepingcomputer.com/forums/ind...amp;hl=cilxrhoj

DDS.txt log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Iris at 14:20:22.39 on Wed 09/15/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.155 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:Program FilesCreativeSBAudigy2ZSSurround MixerCTSysVol.exe
C:Program FilesCreativeSBAudigy2ZSDVDAudioCTDVDDET.EXE
C:WINDOWSsystem32CTHELPER.EXE
C:Program FilesGoogleGmail Notifiergnotify.exe
C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsFileAgent.exe
C:Program FilesDell Photo AIO Printer 964memcard.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesBabylonBabylon.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:WINDOWSsystem32ctfmon.exe
C:Documents and SettingsIrisApplication DataSanDiskSansa UpdaterSansaDispatch.exe
C:WINDOWSsystem32CTsvcCDA.EXE
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Documents and SettingsAll UsersApplication DataEPSONEPW!3 SSRPE_S40RP7.EXE
C:Program FilesIntelIntel Application Acceleratoriaantmon.exe
C:Program FilesAdobePhotoshop Elements 3.0PhotoshopElementsDeviceConnect.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32dlcjcoms.exe
C:WINDOWSsystem32dllhost.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMozilla Firefoxplugin-container.exe
C:Program FilesLavasoftAd-AwareAd-Aware.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:WINDOWSsystem32rundll32.exe
C:Documents and SettingsIrisMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:documents and settingsall usersapplication datarealrealplayerbrowserrecordpluginierpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: TBSB07286 Class: {c23d0d6a-8cba-4b33-9735-47d81f5b2b85} - c:program filesecobartbcore3.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Ecobar: {10000000-1000-1000-1000-100000000000} - c:program filesecobartbcore3.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [SansaDispatch] c:documents and settingsirisapplication datasandisksansa updaterSansaDispatch.exe
uRun: [cilxrhoj£] c:documents and settingsiriscilxrhoj£.exe
uRun: [cilxrhoj»] c:documents and settingsiriscilxrhoj».exe
uRun: [cilxrhojø] c:documents and settingsiriscilxrhojø.exe
uRun: [cilxrhojª] c:documents and settingsiriscilxrhojª.exe
uRun: [cilxrhojÌ] c:documents and settingsiriscilxrhojÌ.exe
uRun: [cilxrhoj¾] c:documents and settingsiriscilxrhoj¾.exe
uRun: [cilxrhojé] c:documents and settingsiriscilxrhojÉ.exe
uRun: [cilxrhojò] c:documents and settingsiriscilxrhojò.exe
uRun: [cilxrhoj³] c:documents and settingsiriscilxrhoj³.exe
uRun: [cilxrhoj] c:documents and settingsiriscilxrhoj.exe
uRun: [cilxrhoj‰] c:documents and settingsiriscilxrhoj‰.exe
uRun: [cilxrhoj]] c:documents and settingsiriscilxrhoj].exe
uRun: [cilxrhoj¯] c:documents and settingsiriscilxrhoj¯.exe
uRun: [cilxrhoj‚] c:documents and settingsiriscilxrhoj‚.exe
uRun: [cilxrhoj’] c:documents and settingsiriscilxrhoj’.exe
uRun: [cilxrhoj÷] c:documents and settingsiriscilxrhoj÷.exe
uRun: [cilxrhoj=] c:documents and settingsiriscilxrhoj=.exe
uRun: [cilxrhoj5] c:documents and settingsiriscilxrhoj5.exe
uRun: [cilxrhoj[] c:documents and settingsiriscilxrhoj[.exe
uRun: [cilxrhojð] c:documents and settingsiriscilxrhojð.exe
uRun: [cilxrhoj²] c:documents and settingsiriscilxrhoj².exe
uRun: [cilxrhoj‡] c:documents and settingsiriscilxrhoj‡.exe
uRun: [cilxrhoj®] c:documents and settingsiriscilxrhoj®.exe
uRun: [cilxrhoj�] c:documents and settingsiriscilxrhoj�.exe
uRun: [cilxrhoj´] c:documents and settingsiriscilxrhoj´.exe
uRun: [cilxrhojå] c:documents and settingsiriscilxrhojÅ.exe
uRun: [cilxrhojY] c:documents and settingsiriscilxrhojY.exe
uRun: [cilxrhojp] c:documents and settingsiriscilxrhojp.exe
uRun: [cilxrhoj0] c:documents and settingsiriscilxrhoj0.exe
uRun: [cilxrhoj…] c:documents and settingsiriscilxrhoj….exe
uRun: [cilxrhoj×] c:documents and settingsiriscilxrhoj×.exe
uRun: [cilxrhojŒ] c:documents and settingsiriscilxrhojŒ.exe
uRun: [cilxrhoj‹] c:documents and settingsiriscilxrhoj‹.exe
uRun: [cilxrhoj] c:documents and settingsiriscilxrhoj.exe
uRun: [cilxrhojN] c:documents and settingsiriscilxrhojn.exe
uRun: [cilxrhojá] c:documents and settingsiriscilxrhojÁ.exe
uRun: [cilxrhojk] c:documents and settingsiriscilxrhojK.exe
uRun: [cilxrhoj�] c:documents and settingsiriscilxrhoj�.exe
uRun: [cilxrhoj.] c:documents and settingsiriscilxrhoj..exe
uRun: [cilxrhojd] c:documents and settingsiriscilxrhojD.exe
uRun: [cilxrhojF] c:documents and settingsiriscilxrhojf.exe
uRun: [cilxrhojÚ] c:documents and settingsiriscilxrhojÚ.exe
uRun: [cilxrhojÑ] c:documents and settingsiriscilxrhojñ.exe
uRun: [cilxrhoj›] c:documents and settingsiriscilxrhoj›.exe
uRun: [cilxrhojÂ] c:documents and settingsiriscilxrhojÂ.exe
uRun: [cilxrhojb] c:documents and settingsiriscilxrhojB.exe
uRun: [cilxrhojê] c:documents and settingsiriscilxrhoj.exe
uRun: [cilxrhojÍ] c:documents and settingsiriscilxrhojí.exe
uRun: [cilxrhojÏ] c:documents and settingsiriscilxrhojï.exe
uRun: [cilxrhojÈ] c:documents and settingsiriscilxrhojÈ.exe
uRun: [cilxrhojj] c:documents and settingsiriscilxrhojj.exe
uRun: [cilxrhoj«] c:documents and settingsiriscilxrhoj«.exe
uRun: [cilxrhojÝ] c:documents and settingsiriscilxrhojý.exe
uRun: [cilxrhoj ] c:documents and settingsiriscilxrhoj .exe
uRun: [cilxrhoj¢] c:documents and settingsiriscilxrhoj¢.exe
uRun: [cilxrhoj4] c:documents and settingsiriscilxrhoj4.exe
uRun: [cilxrhojÞ] c:documents and settingsiriscilxrhojþ.exe
uRun: [cilxrhojô] c:documents and settingsiriscilxrhojÔ.exe
uRun: [cilxrhoj“] c:documents and settingsiriscilxrhoj“.exe
uRun: [cilxrhoj¶] c:documents and settingsiriscilxrhoj¶.exe
uRun: [cilxrhoji] c:documents and settingsiriscilxrhojI.exe
uRun: [cilxrhoj¦] c:documents and settingsiriscilxrhoj¦.exe
uRun: [cilxrhojÇ] c:documents and settingsiriscilxrhojç.exe
uRun: [cilxrhojÎ] c:documents and settingsiriscilxrhojî.exe
uRun: [cilxrhojE] c:documents and settingsiriscilxrhoje.exe
uRun: [cilxrhojc] c:documents and settingsiriscilxrhojC.exe
uRun: [cilxrhojó] c:documents and settingsiriscilxrhojó.exe
uRun: [cilxrhoj„] c:documents and settingsiriscilxrhoj„.exe
uRun: [cilxrhoj2] c:documents and settingsiriscilxrhoj2.exe
uRun: [cilxrhojl] c:documents and settingsiriscilxrhojL.exe
uRun: [cilxrhoj&] c:documents and settingsiriscilxrhoj&.exe
uRun: [cilxrhoj9] c:documents and settingsiriscilxrhoj9.exe
uRun: [cilxrhoj`] c:documents and settingsiriscilxrhoj`.exe
uRun: [cilxrhojž] c:documents and settingsiriscilxrhojž.exe
uRun: [cilxrhoj%] c:documents and settingsiriscilxrhoj%.exe
uRun: [cilxrhoj@] c:documents and settingsiriscilxrhoj@.exe
uRun: [cilxrhoj°] c:documents and settingsiriscilxrhoj°.exe
uRun: [cilxrhoj,] c:documents and settingsiriscilxrhoj,.exe
uRun: [cilxrhoj•] c:documents and settingsiriscilxrhoj•.exe
uRun: [cilxrhojÃ] c:documents and settingsiriscilxrhojã.exe
uRun: [cilxrhoj©] c:documents and settingsiriscilxrhoj©.exe
uRun: [cilxrhojÜ] c:documents and settingsiriscilxrhojü.exe
uRun: [cilxrhoj·] c:documents and settingsiriscilxrhoj·.exe
uRun: [cilxrhoj˜] c:documents and settingsiriscilxrhoj˜.exe
uRun: [cilxrhoj#] c:documents and settingsiriscilxrhoj#.exe
uRun: [cilxrhoj$] c:documents and settingsiriscilxrhoj$.exe
uRun: [cilxrhojˆ] c:documents and settingsiriscilxrhojˆ.exe
uRun: [cilxrhojÛ] c:documents and settingsiriscilxrhojÛ.exe
uRun: [cilxrhojV] c:documents and settingsiriscilxrhojv.exe
uRun: [cilxrhoj¤] c:documents and settingsiriscilxrhoj¤.exe
uRun: [cilxrhoj¹] c:documents and settingsiriscilxrhoj¹.exe
uRun: [cilxrhoj–] c:documents and settingsiriscilxrhoj–.exe
uRun: [cilxrhoj1] c:documents and settingsiriscilxrhoj1.exe
uRun: [cilxrhojß] c:documents and settingsiriscilxrhojß.exe
uRun: [cilxrhoj”] c:documents and settingsiriscilxrhoj”.exe
uRun: [cilxrhoj'] c:documents and settingsiriscilxrhoj'.exe
uRun: [cilxrhoj}] c:documents and settingsiriscilxrhoj}.exe
uRun: [cilxrhoj)] c:documents and settingsiriscilxrhoj).exe
uRun: [cilxrhoj¿] c:documents and settingsiriscilxrhoj¿.exe
uRun: [cilxrhojƒ] c:documents and settingsiriscilxrhojƒ.exe
uRun: [cilxrhoj!] c:documents and settingsiriscilxrhoj!.exe
uRun: [cilxrhoj�] c:documents and settingsiriscilxrhoj�.exe
uRun: [cilxrhojº] c:documents and settingsiriscilxrhojº.exe
uRun: [cilxrhoj—] c:documents and settingsiriscilxrhoj—.exe
uRun: [cilxrhoj8] c:documents and settingsiriscilxrhoj8.exe
uRun: [cilxrhoj^] c:documents and settingsiriscilxrhoj^.exe
uRun: [cilxrhoj~] c:documents and settingsiriscilxrhoj~.exe
uRun: [cilxrhoj¨] c:documents and settingsiriscilxrhoj¨.exe
uRun: [cilxrhojA] c:documents and settingsiriscilxrhojA.exe
uRun: [cilxrhoj½] c:documents and settingsiriscilxrhoj½.exe
uRun: [cilxrhojX] c:documents and settingsiriscilxrhojX.exe
uRun: [cilxrhoj�] c:documents and settingsiriscilxrhoj�.exe
uRun: [cilxrhoj+] c:documents and settingsiriscilxrhoj+.exe
uRun: [cilxrhoj­] c:documents and settingsiriscilxrhoj­.exe
uRun: [cilxrhojà] c:documents and settingsiriscilxrhojÀ.exe
uRun: [cilxrhoj§] c:documents and settingsiriscilxrhoj§.exe
uRun: [cilxrhoj™] c:documents and settingsiriscilxrhoj™.exe
uRun: [cilxrhoj¸] c:documents and settingsiriscilxrhoj¸.exe
uRun: [cilxrhoj6] c:documents and settingsiriscilxrhoj6.exe
uRun: [cilxrhoj�] c:documents and settingsiriscilxrhoj�.exe
uRun: [cilxrhoj;] c:documents and settingsiriscilxrhoj;.exe
uRun: [cilxrhoj(] c:documents and settingsiriscilxrhoj(.exe
uRun: [cilxrhoj±] c:documents and settingsiriscilxrhoj±.exe
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [SoundMAXPnP] c:program filesanalog devicescoresmax4pnp.exe
mRun: [IAAnotif] c:program filesintelintel application acceleratoriaanotif.exe
mRun: [ATIPTA] c:program filesati technologiesati control panelatiptaxx.exe
mRun: [CTSysVol] c:program filescreativesbaudigy2zssurround mixerCTSysVol.exe /r
mRun: [CTDVDDET] "c:program filescreativesbaudigy2zsdvdaudioCTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:windowsUpdReg.EXE
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:program filesgooglegmail notifiergnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [DLCJCATS] rundll32 c:windowssystem32spooldriversw32x863DLCJtime.dll,_RunDLLEntry@16
mRun: [dlcjmon.exe] "c:program filesdell photo aio printer 964dlcjmon.exe"
mRun: [MemoryCardManager] "c:program filesdell photo aio printer 964memcard.exe"
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [Babylon Client] c:program filesbabylonBabylon.exe -AutoStart
mRun: [cilxrhoj£] c:windowssystem32cilxrhoj£.exe
mRun: [Yhijetohekafom] rundll32.exe "c:windowsuzeqepijo.dll",Startup
mRun: [cilxrhojª] c:windowssystem32cilxrhojª.exe
mRun: [cilxrhojò] c:windowssystem32cilxrhojò.exe
mRun: [cilxrhoj³] c:windowssystem32cilxrhoj³.exe
mRun: [cilxrhoj] c:windowssystem32cilxrhoj.exe
mRun: [cilxrhoj]] c:windowssystem32cilxrhoj].exe
mRun: [cilxrhoj¯] c:windowssystem32cilxrhoj¯.exe
mRun: [cilxrhoj’] c:windowssystem32cilxrhoj’.exe
mRun: [cilxrhoj÷] c:windowssystem32cilxrhoj÷.exe
mRun: [cilxrhoj=] c:windowssystem32cilxrhoj=.exe
mRun: [cilxrhoj[] c:windowssystem32cilxrhoj[.exe
mRun: [cilxrhoj‡] c:windowssystem32cilxrhoj‡.exe
mRun: [cilxrhoj®] c:windowssystem32cilxrhoj®.exe
mRun: [cilxrhoj�] c:windowssystem32cilxrhoj�.exe
mRun: [cilxrhoj´] c:windowssystem32cilxrhoj´.exe
mRun: [cilxrhojå] c:windowssystem32cilxrhojÅ.exe
mRun: [cilxrhojY] c:windowssystem32cilxrhojY.exe
mRun: [cilxrhojp] c:windowssystem32cilxrhojp.exe
mRun: [cilxrhoj0] c:windowssystem32cilxrhoj0.exe
mRun: [cilxrhoj…] c:windowssystem32cilxrhoj….exe
mRun: [cilxrhoj×] c:windowssystem32cilxrhoj×.exe
mRun: [cilxrhojŒ] c:windowssystem32cilxrhojŒ.exe
mRun: [cilxrhoj‹] c:windowssystem32cilxrhoj‹.exe
mRun: [cilxrhoj] c:windowssystem32cilxrhoj.exe
mRun: [cilxrhojá] c:windowssystem32cilxrhojÁ.exe
mRun: [cilxrhoj�] c:windowssystem32cilxrhoj�.exe
mRun: [cilxrhoj.] c:windowssystem32cilxrhoj..exe
mRun: [cilxrhojF] c:windowssystem32cilxrhojf.exe
mRun: [cilxrhojÚ] c:windowssystem32cilxrhojú.exe
mRun: [cilxrhojÂ] c:windowssystem32cilxrhojÂ.exe
mRun: [cilxrhojb] c:windowssystem32cilxrhojB.exe
mRun: [cilxrhojê] c:windowssystem32cilxrhoj.exe
mRun: [cilxrhojÏ] c:windowssystem32cilxrhojï.exe
mRun: [cilxrhojj] c:windowssystem32cilxrhojj.exe
mRun: [cilxrhoj«] c:windowssystem32cilxrhoj«.exe
mRun: [cilxrhoj ] c:windowssystem32cilxrhoj .exe
mRun: [cilxrhoj¢] c:windowssystem32cilxrhoj¢.exe
mRun: [cilxrhoj4] c:windowssystem32cilxrhoj4.exe
mRun: [cilxrhojÞ] c:windowssystem32cilxrhojþ.exe
mRun: [cilxrhoj¶] c:windowssystem32cilxrhoj¶.exe
mRun: [cilxrhoji] c:windowssystem32cilxrhojI.exe
mRun: [cilxrhoj¦] c:windowssystem32cilxrhoj¦.exe
mRun: [cilxrhojÎ] c:windowssystem32cilxrhojî.exe
mRun: [cilxrhojE] c:windowssystem32cilxrhoje.exe
mRun: [cilxrhojc] c:windowssystem32cilxrhojC.exe
mRun: [cilxrhoj2] c:windowssystem32cilxrhoj2.exe
mRun: [cilxrhojl] c:windowssystem32cilxrhojL.exe
mRun: [cilxrhoj&] c:windowssystem32cilxrhoj&.exe
mRun: [cilxrhoj9] c:windowssystem32cilxrhoj9.exe
mRun: [cilxrhoj`] c:windowssystem32cilxrhoj`.exe
mRun: [cilxrhojž] c:windowssystem32cilxrhojž.exe
mRun: [cilxrhoj%] c:windowssystem32cilxrhoj%.exe
mRun: [cilxrhoj°] c:windowssystem32cilxrhoj°.exe
mRun: [cilxrhoj,] c:windowssystem32cilxrhoj,.exe
mRun: [cilxrhoj•] c:windowssystem32cilxrhoj•.exe
mRun: [cilxrhojÃ] c:windowssystem32cilxrhojã.exe
mRun: [cilxrhoj©] c:windowssystem32cilxrhoj©.exe
mRun: [cilxrhojÜ] c:windowssystem32cilxrhojü.exe
mRun: [cilxrhoj·] c:windowssystem32cilxrhoj·.exe
mRun: [cilxrhoj˜] c:windowssystem32cilxrhoj˜.exe
mRun: [cilxrhoj#] c:windowssystem32cilxrhoj#.exe
mRun: [cilxrhoj¤] c:windowssystem32cilxrhoj¤.exe
mRun: [cilxrhoj¹] c:windowssystem32cilxrhoj¹.exe
mRun: [cilxrhoj–] c:windowssystem32cilxrhoj–.exe
mRun: [cilxrhojS] c:windowssystem32cilxrhojs.exe
mRun: [cilxrhoj1] c:windowssystem32cilxrhoj1.exe
mRun: [cilxrhojß] c:windowssystem32cilxrhojß.exe
mRun: [cilxrhoj'] c:windowssystem32cilxrhoj'.exe
mRun: [cilxrhoj}] c:windowssystem32cilxrhoj}.exe
mRun: [cilxrhoj¿] c:windowssystem32cilxrhoj¿.exe
mRun: [cilxrhoj!] c:windowssystem32cilxrhoj!.exe
mRun: [cilxrhoj—] c:windowssystem32cilxrhoj—.exe
mRun: [cilxrhoj8] c:windowssystem32cilxrhoj8.exe
mRun: [cilxrhoj^] c:windowssystem32cilxrhoj^.exe
mRun: [cilxrhoj~] c:windowssystem32cilxrhoj~.exe
mRun: [cilxrhojA] c:windowssystem32cilxrhojA.exe
mRun: [cilxrhojX] c:windowssystem32cilxrhojX.exe
mRun: [cilxrhoj�] c:windowssystem32cilxrhoj�.exe
mRun: [cilxrhoj+] c:windowssystem32cilxrhoj+.exe
mRun: [cilxrhoj­] c:windowssystem32cilxrhoj­.exe
mRun: [cilxrhojà] c:windowssystem32cilxrhojÀ.exe
mRun: [cilxrhoj™] c:windowssystem32cilxrhoj™.exe
mRun: [cilxrhoj¸] c:windowssystem32cilxrhoj¸.exe
mRun: [cilxrhoj6] c:windowssystem32cilxrhoj6.exe
mRun: [cilxrhoj�] c:windowssystem32cilxrhoj�.exe
mRun: [cilxrhoj;] c:windowssystem32cilxrhoj;.exe
mRun: [cilxrhoj(] c:windowssystem32cilxrhoj(.exe
mRun: [cilxrhoj7] c:windowssystem32cilxrhoj7.exe
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
StartupFolder: c:docume~1alluse~1startm~1programsstartupadobeg~1.lnk - c:program filescommon filesadobecalibrationAdobe Gamma Loader.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:program filesjavajre6binjp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1irisapplic~1mozillafirefoxprofilesorl4g2on.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=55555&q=
FF - component: c:documents and settingsirisapplication datamozillafirefoxprofilesorl4g2on.defaultextensions{e001c731-5e37-4538-a5cb-8168736a2360}componentsqscanff.dll
FF - plugin: c:documents and settingsall usersapplication datarealrealplayerbrowserrecordpluginmozillapluginsnprphtml5videoshim.dll
FF - plugin: c:documents and settingsirisapplication datamozillafirefoxprofilesorl4g2on.defaultextensions{e001c731-5e37-4538-a5cb-8168736a2360}pluginsnpqscan.dll
FF - plugin: c:program filesgoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesjavajre6binnpdeployJava1.dll
FF - plugin: c:program filesjavajre6binnpjpi160_21.dll
FF - HiddenExtension: XULRunner: {53AB71CE-B9FA-404F-8118-B68194A9397F} - c:documents and settingsirislocal settingsapplication data{53AB71CE-B9FA-404F-8118-B68194A9397F}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-9-14 64288]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:program filesadobephotoshop elements 3.0PhotoshopElementsFileAgent.exe [2004-10-20 98304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2010-8-12 1355928]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:program filesadobephotoshop elements 3.0PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:program fileslavasoftad-awarekernexplorer.sys [2010-8-12 15008]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-9-14 135664]

=============== Created Last 30 ================

2010-09-15 18:15:31 0 ----a-w- c:documents and settingsirisdefogger_reenable
2010-09-15 17:36:47 0 d-----w- c:program filesTrend Micro
2010-09-15 15:06:57 41600 -c--a-w- c:windowssystem32dllcacheweitekp9.dll
2010-09-15 15:05:58 38912 -c--a-w- c:windowssystem32dllcacheEXCH_ntfsdrv.dll
2010-09-15 15:04:59 36864 -c--a-w- c:windowssystem32dllcachehanjadic.dll
2010-09-15 15:03:59 76800 -c--a-w- c:windowssystem32dllcachelogui.ocx
2010-09-15 15:00:10 488 ---ha-r- c:windowssystem32logonui.exe.manifest
2010-09-15 15:00:05 749 ---ha-r- c:windowsWindowsShell.Manifest
2010-09-15 15:00:05 749 ---ha-r- c:windowssystem32wuaucpl.cpl.manifest
2010-09-15 15:00:05 749 ---ha-r- c:windowssystem32sapi.cpl.manifest
2010-09-15 15:00:05 749 ---ha-r- c:windowssystem32nwc.cpl.manifest
2010-09-15 15:00:05 749 ---ha-r- c:windowssystem32ncpa.cpl.manifest
2010-09-15 14:59:45 16384 -c--a-w- c:windowssystem32dllcacheisignup.exe
2010-09-15 14:05:42 0 d-----w- c:program filesBroadcom
2010-09-15 04:16:32 127 ----a-w- c:windowssystem32MRT.INI
2010-09-15 04:16:32 0 d-----w- c:windowssystem32MpEngineStore
2010-09-15 01:13:11 423656 ----a-w- c:windowssystem32deployJava1.dll
2010-09-15 01:13:11 0 ----a-w- c:windowssystem32REN10C.tmp
2010-09-15 01:13:11 0 ----a-w- c:windowssystem32REN10B.tmp
2010-09-15 01:13:11 0 ----a-w- c:windowssystem32REN10A.tmp
2010-09-14 19:54:41 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-09-14 18:31:29 210959 ----a-w- c:windowssetupapi.old
2010-09-14 18:31:22 64288 ----a-w- c:windowssystem32driversLbd.sys
2010-09-14 18:31:17 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-09-14 18:22:11 0 dc-h--w- c:docume~1alluse~1applic~1{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-14 18:21:31 0 d-----w- c:program filesLavasoft
2010-09-14 17:52:23 0 d-----w- c:docume~1irisapplic~1QuickScan
2010-09-09 13:57:10 0 ----a-w- c:windowssystem32cilxrhoj
2010-09-09 13:57:10 0 ----a-w- c:documents and settingsiriscilxrhoj
2010-09-09 05:56:52 274288 ----a-w- c:windowssystem32mucltui.dll
2010-09-09 05:56:52 215920 ----a-w- c:windowssystem32muweb.dll
2010-09-09 05:56:52 16736 ----a-w- c:windowssystem32mucltui.dll.mui
2010-09-08 13:55:46 0 d-----w- c:documents and settingsirisTracing
2010-09-08 13:53:57 0 d-----w- c:program filesMicrosoft
2010-09-08 13:53:43 0 d-----w- c:program filesWindows Live SkyDrive
2010-09-08 13:51:13 0 d-----w- c:program filescommon filesWindows Live
2010-09-05 00:06:07 0 d-----w- c:docume~1irisapplic~1Malwarebytes
2010-09-05 00:05:58 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-09-05 00:05:57 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-09-05 00:05:57 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-09-05 00:05:57 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-09-04 23:58:12 0 d-----w- c:program filesCCleaner
2010-09-04 21:39:11 0 d-----w- c:windowssystem32appmgmt
2010-09-04 21:11:14 120 ----a-w- c:windowsRdegoxiredoxir.dat
2010-09-04 21:11:14 0 ----a-w- c:windowsOtumogovitogol.bin
2010-09-04 21:09:29 0 d-----w- c:docume~1irisapplic~1Toolbar4
2010-09-04 20:55:57 73728 ----a-w- c:windowssystem32javacpl.cpl
2010-08-24 21:50:54 5632 ----a-w- c:windowssystem32ptpusb.dll
2010-08-24 21:50:53 15104 ----a-w- c:windowssystem32driversusbscan.sys
2010-08-24 21:50:52 159232 ----a-w- c:windowssystem32ptpusd.dll
2010-08-17 14:21:42 0 d-----w- c:docume~1alluse~1applic~1Babylon
2010-08-17 14:19:15 0 d-----w- c:docume~1irisapplic~1Babylon

==================== Find3M ====================

2010-09-15 14:57:27 34284 ----a-w- c:windowssystem32emptyregdb.dat
2010-08-15 19:07:24 499712 ----a-w- c:windowssystem32msvcp71.dll
2010-08-15 19:07:24 348160 ----a-w- c:windowssystem32msvcr71.dll
2010-08-02 05:28:41 0 ---ha-w- c:windowssystem32driversMsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-08-02 05:28:41 0 ---ha-w- c:windowssystem32driversMsft_Kernel_NuidFltr_01005.Wdf
2010-07-22 05:57:20 5120 ----a-w- c:windowssystem32xpsp4res.dll

============= FINISH: 14:20:49.28 ===============

Other two files are attached.
Thank you so much for your help!
Iris

here's another strange thing i've noticed: this re-direct search phenomenon happens only on one windows user account, which is the administrator account. I've opened another account (non-administrator) and transferred my browser profile (FF) to the new account, including all the bookmarks and add ons, but surprisingly the search works fine here. yet when i go back to the other account it's still there.

I am adding another event that happened today (not trying to bump, just informing of the developments) - today at some point there was a small window informing me of a security update/fix for FireFox browser. I clicked install and then restart, and only afterward realized I may have authorized another virus! before FF went back on another window opened asking me do I want to install this program on another user account - which program???!!! I didn't mean to authorize any program, only an update to the browser!
However, so far I don't see any strange behavior. Maybe in the morning. But I'm not running any additional scans because I'm waiting for a reply here, and read the administrators request not to run any additional scans until a reply is received.

EDIT: Posts merged ~BP

Edited by Budapest, 19 September 2010 - 01:22 AM.

Hi,

I already see you have Malwarebytes installed, but it looks like you're using an outdated version since it should detect most what is in your log already.
So... First of all, please update MalwareBytes

• Start MalwareBytes and click the Update tab. There click "Check for updates"
• Once the updates are downloaded, perform a quick scan again.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh DDS log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

oh wow, I didn't get a notice about your reply, maybe it went to spam or I forgot to subscribe!
Thank you so much for replying, miekiemoes, and I apologize for being away.
It is late now, I will do as you recommend tomorrow morning, and post results here,
thanks again,
Iris

That's OK Iris.

I also want to note that.. Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Hi miekiemoes,

Just did the MWB scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4663

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/21/2010 7:53:39 AM
mbam-log-2010-09-21 (07-53-39).txt

Scan type: Quick scan
Objects scanned: 154463
Time elapsed: 16 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 212
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj£ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojª (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojò (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj³ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj] (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¯ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj’ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj÷ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj= (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj[ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj‡ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj® (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj´ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojå (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojy (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj0 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj… (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj× (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojœ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj‹ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojá (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj. (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojf (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojú (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojâ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojb (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojê (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojï (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojj (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj« (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj  (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¢ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj4 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojþ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¶ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoji (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¦ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojî (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoje (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj2 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojl (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj& (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj` (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojž (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj% (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj° (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj, (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj• (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojã (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj© (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojü (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj· (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj˜ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj# (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¤ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¹ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj– (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojs (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj1 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojß (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj' (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj} (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¿ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj! (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj— (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj8 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj^ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj~ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoja (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojx (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj+ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj­ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojà (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj™ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¸ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj6 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj; (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj( (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj7 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj£ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj» (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojø (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojª (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojì (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¾ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojé (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojò (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj³ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj‰ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj] (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¯ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj‚ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj’ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj÷ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj= (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj5 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj[ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojð (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj² (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj‡ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj® (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj´ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojå (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojy (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj0 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj… (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj× (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojœ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj‹ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojn (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojá (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojk (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj. (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojd (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojf (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojú (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojñ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj› (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojâ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojb (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojê (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojí (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojï (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojè (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojj (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj« (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojý (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj  (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¢ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj4 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojþ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojô (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj“ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¶ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoji (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¦ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojç (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojî (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoje (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojó (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj„ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj2 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojl (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj& (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj` (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojž (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj% (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj@ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj° (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj, (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj• (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojã (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj© (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojü (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj· (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj˜ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj# (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj$ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojˆ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojû (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojv (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¤ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¹ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj– (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj1 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojß (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj” (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj' (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj} (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj) (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¿ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojƒ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj! (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojº (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj— (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj8 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj^ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj~ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¨ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoja (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj½ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojx (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj+ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj­ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhojà (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj§ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj™ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj¸ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj6 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj� (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj; (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj( (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cilxrhoj± (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cilxrhoj (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.


Here is the DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Iris at 8:06:41.84 on Tue 09/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.184 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Babylon\Babylon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Iris\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Iris\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: TBSB07286 Class: {c23d0d6a-8cba-4b33-9735-47d81f5b2b85} - c:\program files\ecobar\tbcore3.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ecobar: {10000000-1000-1000-1000-100000000000} - c:\program files\ecobar\tbcore3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SansaDispatch] c:\documents and settings\iris\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DLCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCJtime.dll,_RunDLLEntry@16
mRun: [dlcjmon.exe] "c:\program files\dell photo aio printer 964\dlcjmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 964\memcard.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Babylon Client] c:\program files\babylon\Babylon.exe -AutoStart
mRun: [Yhijetohekafom] rundll32.exe "c:\windows\uzeqepijo.dll",Startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\iris\applic~1\mozilla\firefox\profiles\orl4g2on.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=55555&q=
FF - component: c:\documents and settings\iris\application data\mozilla\firefox\profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\iris\application data\mozilla\firefox\profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_21.dll
FF - HiddenExtension: XULRunner: {53AB71CE-B9FA-404F-8118-B68194A9397F} - c:\documents and settings\iris\local settings\application data\{53AB71CE-B9FA-404F-8118-B68194A9397F}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-14 64288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-14 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]

=============== Created Last 30 ================

2010-09-21 11:14:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-09-21 11:14:57 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-09-21 11:14:57 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-09-21 11:14:56 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-09-21 11:14:56 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-21 11:14:56 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-09-21 11:14:56 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-09-19 19:13:57 0 d-----w- c:\program files\Dl_cats
2010-09-19 19:13:03 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-09-19 19:13:03 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-09-19 19:12:05 0 d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2010-09-19 19:12:05 0 d-----w- C:\Temp
2010-09-17 23:07:41 0 d-----w- c:\program files\MSXML 6.0
2010-09-17 11:10:30 0 d-----w- c:\windows\system32\CatRoot_bak
2010-09-16 17:39:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-16 17:34:32 0 d-----w- c:\program files\Microsoft Security Essentials
2010-09-16 10:11:08 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-09-15 18:15:31 0 ----a-w- c:\documents and settings\iris\defogger_reenable
2010-09-15 17:36:47 0 d-----w- c:\program files\Trend Micro
2010-09-15 15:06:57 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-09-15 15:05:58 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-09-15 15:04:59 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-09-15 15:03:59 76800 -c--a-w- c:\windows\system32\dllcache\logui.ocx
2010-09-15 15:00:10 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-09-15 15:00:05 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-09-15 15:00:05 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-09-15 15:00:05 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-09-15 15:00:05 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-09-15 15:00:05 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-09-15 14:59:45 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-09-15 14:05:42 0 d-----w- c:\program files\Broadcom
2010-09-15 04:16:32 127 ----a-w- c:\windows\system32\MRT.INI
2010-09-15 04:16:32 0 d-----w- c:\windows\system32\MpEngineStore
2010-09-15 01:13:11 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:13:11 0 ----a-w- c:\windows\system32\REN10C.tmp
2010-09-15 01:13:11 0 ----a-w- c:\windows\system32\REN10B.tmp
2010-09-15 01:13:11 0 ----a-w- c:\windows\system32\REN10A.tmp
2010-09-14 19:54:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-14 18:31:29 210959 ----a-w- c:\windows\setupapi.old
2010-09-14 18:31:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-14 18:31:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-14 18:22:11 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-14 18:21:31 0 d-----w- c:\program files\Lavasoft
2010-09-14 17:52:23 0 d-----w- c:\docume~1\iris\applic~1\QuickScan
2010-09-09 13:57:10 0 ----a-w- c:\documents and settings\iris\cilxrhoj
2010-09-09 05:56:52 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-09-09 05:56:52 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-09 05:56:52 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-09-08 13:55:46 0 d-----w- c:\documents and settings\iris\Tracing
2010-09-08 13:53:57 0 d-----w- c:\program files\Microsoft
2010-09-08 13:53:43 0 d-----w- c:\program files\Windows Live SkyDrive
2010-09-08 13:51:13 0 d-----w- c:\program files\common files\Windows Live
2010-09-05 00:06:07 0 d-----w- c:\docume~1\iris\applic~1\Malwarebytes
2010-09-05 00:05:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-05 00:05:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-05 00:05:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 00:05:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-04 23:58:12 0 d-----w- c:\program files\CCleaner
2010-09-04 21:39:11 0 d-----w- c:\windows\system32\appmgmt
2010-09-04 21:11:14 120 ----a-w- c:\windows\Rdegoxiredoxir.dat
2010-09-04 21:11:14 0 ----a-w- c:\windows\Otumogovitogol.bin
2010-09-04 21:09:29 0 d-----w- c:\docume~1\iris\applic~1\Toolbar4
2010-09-04 20:55:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-24 21:50:54 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-08-24 21:50:53 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-08-24 21:50:52 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2010-09-15 14:57:27 34284 ----a-w- c:\windows\system32\emptyregdb.dat
2010-08-15 19:07:24 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-08-15 19:07:24 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-08-02 05:28:41 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-08-02 05:28:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 8:07:17.50 ===============

Attaching the other dds Log (I didn't zip it, not sure how to, I hope it's ok this way or let me know if I need to change it).

I noticed the search is still being redirected on this account.

Mind you, I have only very recently (2-3 weeks) formatted the computer, I just thought it's time, it had different issues and probably was infected. I am surprised that it is infected again so shorly afterwards. It will be a pain to go through all this again....

Thank you so much for your help, looking forward for further instructions.
Iris

Hi,

We are not finished yet..

First of all, Open Internet Explorer > Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > Where it says Proxysettings, empty out everything in there first (for address and port). Then, uncheck "use a proxy server" and check to "Automatically detect settings".


Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

hi miekiemoes,

Here is the ComboFix log:

ComboFix 10-09-20.03 - Iris 09/21/2010 9:05.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.581 [GMT -4:00]
Running from: c:\documents and settings\Iris\My Documents\Downloads\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Iris\Local Settings\Application Data\{53AB71CE-B9FA-404F-8118-B68194A9397F}
c:\documents and settings\Iris\Local Settings\Application Data\{53AB71CE-B9FA-404F-8118-B68194A9397F}\chrome.manifest
c:\documents and settings\Iris\Local Settings\Application Data\{53AB71CE-B9FA-404F-8118-B68194A9397F}\chrome\content\_cfg.js
c:\documents and settings\Iris\Local Settings\Application Data\{53AB71CE-B9FA-404F-8118-B68194A9397F}\chrome\content\overlay.xul
c:\documents and settings\Iris\Local Settings\Application Data\{53AB71CE-B9FA-404F-8118-B68194A9397F}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
.

2010-09-21 11:14 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-09-21 11:14 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-09-21 11:14 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-09-21 11:14 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-21 11:14 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-09-21 11:14 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-09-21 11:14 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-09-19 19:13 . 2010-09-21 12:46 -------- d-----w- c:\program files\Dl_cats
2010-09-19 19:13 . 2001-08-18 02:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-09-19 19:13 . 2001-08-18 02:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-09-19 19:12 . 2010-09-20 10:08 -------- d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2010-09-19 19:12 . 2010-09-19 19:12 -------- d-----w- C:\Temp
2010-09-17 23:07 . 2010-09-17 23:07 -------- d-----w- c:\program files\MSXML 6.0
2010-09-17 11:10 . 2010-09-17 12:34 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-09-17 01:39 . 2010-09-19 15:10 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Tracing
2010-09-16 21:52 . 2010-09-16 21:53 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Application Data\acccore
2010-09-16 21:52 . 2010-09-16 21:52 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\AOL
2010-09-16 21:52 . 2010-09-16 21:52 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\AIM
2010-09-16 20:27 . 2010-09-19 00:27 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\Temp
2010-09-16 18:40 . 2010-09-16 18:40 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\Google
2010-09-16 18:18 . 2010-09-06 03:21 1356 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\speaknow.bat
2010-09-16 18:18 . 2009-07-12 20:47 933 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\stopspeech.bat
2010-09-16 18:18 . 2009-07-12 20:47 422912 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\oggenc2.exe
2010-09-16 18:18 . 2009-07-12 20:47 211456 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\wv_player.exe
2010-09-16 18:18 . 2009-07-12 20:47 90112 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\mbrola.exe
2010-09-16 18:18 . 2009-07-12 20:47 829 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\createogg.bat
2010-09-16 18:18 . 2009-07-12 20:47 797 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\createmp3.bat
2010-09-16 18:18 . 2009-07-12 20:47 732 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\createwav.bat
2010-09-16 18:18 . 2009-07-12 20:47 274432 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\espeak.exe
2010-09-16 18:18 . 2009-07-12 20:47 249 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\delmarkerfile.bat
2010-09-16 18:18 . 2010-09-09 00:45 615568 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-16 18:18 . 2010-09-09 00:45 640264 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-16 18:15 . 2010-09-16 18:15 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\Mozilla
2010-09-16 17:39 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-16 17:34 . 2010-09-16 17:34 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-09-16 10:11 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-09-16 10:10 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-09-16 10:10 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-09-16 10:10 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-09-16 10:10 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-09-16 10:10 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-09-15 17:36 . 2010-09-15 17:36 -------- d-----w- c:\program files\Trend Micro
2010-09-15 15:07 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2010-09-15 15:07 . 2004-08-10 08:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2010-09-15 15:07 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2010-09-15 15:07 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2010-09-15 15:07 . 2004-08-10 08:13 61440 -c--a-w- c:\windows\system32\dllcache\ehreschs.dll
2010-09-15 15:07 . 2004-08-10 12:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-09-15 15:05 . 2001-08-18 02:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-09-15 15:04 . 2004-08-10 12:00 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-09-15 15:03 . 2004-08-10 12:00 68608 -c--a-w- c:\windows\system32\dllcache\isatq.dll
2010-09-15 14:59 . 2004-08-10 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-09-15 14:49 . 2004-08-10 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-09-15 14:49 . 2004-08-10 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-09-15 14:49 . 2004-08-10 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-09-15 14:49 . 2004-08-10 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-09-15 14:05 . 2010-09-15 14:05 -------- d-----w- c:\program files\Broadcom
2010-09-15 04:16 . 2010-09-15 04:16 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-15 01:13 . 2010-09-15 01:13 -------- d-----w- c:\program files\Common Files\Java
2010-09-15 01:13 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:13 . 2010-09-15 01:13 -------- d-----w- c:\program files\Java
2010-09-14 21:45 . 2010-09-09 00:45 615568 ----a-w- c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-14 21:45 . 2010-09-09 00:45 640264 ----a-w- c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-14 19:54 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-14 18:31 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-14 18:31 . 2010-09-14 18:31 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-14 18:28 . 2010-09-14 18:28 -------- d-----w- c:\documents and settings\Iris\Local Settings\Application Data\Sunbelt Software
2010-09-14 18:27 . 2010-09-14 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-14 18:22 . 2010-09-14 18:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-09-14 18:22 . 2010-09-14 18:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-14 18:22 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-14 18:21 . 2010-09-14 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-14 18:21 . 2010-09-14 18:21 -------- d-----w- c:\program files\Lavasoft
2010-09-14 17:52 . 2010-09-15 16:56 -------- d-----w- c:\documents and settings\Iris\Application Data\QuickScan
2010-09-09 05:56 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-09-09 05:56 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-08 13:55 . 2010-09-14 17:26 -------- d-----w- c:\documents and settings\Iris\Tracing
2010-09-08 13:53 . 2010-09-08 13:53 -------- d-----w- c:\program files\Microsoft
2010-09-08 13:53 . 2010-09-08 13:53 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-09-08 13:53 . 2010-09-08 13:53 -------- d-----w- c:\program files\Windows Live
2010-09-08 13:51 . 2010-09-08 13:51 -------- d-----w- c:\program files\Common Files\Windows Live
2010-09-05 00:06 . 2010-09-05 00:06 -------- d-----w- c:\documents and settings\Iris\Application Data\Malwarebytes
2010-09-05 00:05 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-05 00:05 . 2010-09-05 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 00:05 . 2010-09-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-05 00:05 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-04 23:58 . 2010-09-04 23:58 -------- d-----w- c:\program files\CCleaner
2010-09-04 21:11 . 2010-09-15 10:30 0 ----a-w- c:\windows\Otumogovitogol.bin
2010-09-04 21:11 . 2010-09-15 01:12 120 ----a-w- c:\windows\Rdegoxiredoxir.dat
2010-09-04 21:10 . 2010-09-05 00:44 -------- d-----w- c:\documents and settings\Iris\Local Settings\Application Data\jcqpojawv
2010-09-04 21:09 . 2010-09-04 21:09 -------- d-----w- c:\documents and settings\Iris\Application Data\Toolbar4
2010-08-24 21:51 . 2010-09-14 18:22 -------- d-----w- c:\documents and settings\Iris\Local Settings\Application Data\Temp
2010-08-24 21:50 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-08-24 21:50 . 2004-08-04 02:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-08-24 21:50 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-21 12:58 . 2010-08-17 14:19 -------- d-----w- c:\documents and settings\Iris\Application Data\Babylon
2010-09-21 11:54 . 2010-08-03 03:58 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000004-20061102}.dat
2010-09-21 11:54 . 2010-08-03 03:58 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000001-00001102-00000004-20061102}.dat
2010-09-21 11:26 . 2010-09-16 18:07 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Application Data\Babylon
2010-09-20 10:08 . 2010-08-05 13:50 -------- d-----w- c:\program files\Dell Photo AIO Printer 964
2010-09-16 18:07 . 2010-09-16 18:07 37368 ----a-w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-16 17:38 . 2010-08-02 16:37 37368 ----a-w- c:\documents and settings\Iris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-15 17:17 . 2010-08-02 02:48 87747 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-15 14:57 . 2010-08-02 02:45 34284 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-15 14:04 . 2010-08-02 03:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-15 01:13 . 2010-09-15 01:13 0 ----a-w- c:\windows\system32\REN10C.tmp
2010-09-15 01:13 . 2010-09-15 01:13 0 ----a-w- c:\windows\system32\REN10B.tmp
2010-09-15 01:13 . 2010-09-15 01:13 0 ----a-w- c:\windows\system32\REN10A.tmp
2010-09-14 18:23 . 2010-08-02 23:46 -------- d-----w- c:\program files\Google
2010-09-06 03:21 . 2010-08-16 15:25 1356 ----a-w- c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\foxvox@wordit.com\speaknow.bat
2010-09-05 01:19 . 2010-08-04 12:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-23 13:37 . 2010-08-04 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-19 03:42 . 2010-08-19 03:42 2826192 ----a-w- c:\documents and settings\Iris\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-08-18 18:56 . 2010-08-18 14:17 -------- d-----w- c:\documents and settings\Iris Lavy\Application Data\Babylon
2010-08-17 14:21 . 2010-08-17 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-08-17 14:21 . 2010-08-02 16:03 -------- d-----w- c:\program files\Babylon
2010-08-16 03:38 . 2010-08-16 03:36 -------- d-----w- c:\program files\Sidebar
2010-08-14 04:16 . 2010-08-02 18:54 -------- d-----w- c:\documents and settings\Iris\Application Data\Creative
2010-08-12 16:26 . 2010-08-12 16:26 2788816 ----a-w- c:\documents and settings\Iris\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-08-12 16:09 . 2010-08-12 16:09 -------- d-----w- c:\program files\Windows Media Connect 2
2010-08-12 15:11 . 2010-08-12 15:11 79872 ----a-w- c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2010-08-12 15:11 . 2010-08-12 15:11 574344 ----a-w- c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2010-08-12 15:11 . 2010-08-12 15:11 354744 ----a-w- c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-08-12 15:11 . 2010-08-12 15:11 -------- d-----w- c:\documents and settings\Iris\Application Data\SanDisk
2010-08-10 11:45 . 2010-08-10 11:45 -------- d-----w- c:\documents and settings\Iris\Application Data\OverDrive
2010-08-10 11:44 . 2010-08-10 11:44 -------- d-----w- c:\program files\OverDrive Media Console
2010-08-08 23:35 . 2010-08-08 23:35 -------- d-----w- c:\program files\Epson Software
2010-08-08 23:34 . 2010-08-08 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-08-08 01:55 . 2010-08-08 01:55 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-08-08 01:54 . 2010-08-08 01:54 -------- d-----w- c:\program files\Microsoft.NET
2010-08-07 04:43 . 2010-08-07 04:43 -------- d-----w- c:\program files\MSXML 4.0
2010-08-05 16:09 . 2010-08-05 16:08 -------- d-----w- c:\program files\Ballance
2010-08-05 15:59 . 2010-08-05 15:22 -------- d-----w- c:\program files\MyDSC2
2010-08-05 15:26 . 2010-08-05 15:26 -------- d-----w- c:\program files\ArcSoft
2010-08-05 15:22 . 2010-08-05 15:22 -------- d-----w- c:\documents and settings\Iris\Application Data\InstallShield
2010-08-05 13:52 . 2010-08-05 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-08-05 13:52 . 2010-08-05 13:52 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2010-08-05 13:51 . 2010-08-05 13:51 25214 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe
2010-08-05 13:51 . 2010-08-05 13:51 -------- d-----w- c:\documents and settings\Iris\Application Data\Jasc Software Inc
2010-08-05 13:51 . 2010-08-05 13:50 -------- d-----w- c:\program files\Jasc Software Inc
2010-08-05 13:50 . 2010-08-05 13:50 4710 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut3_4192EAC06B364723B216D0E86E7757AC.exe
2010-08-05 13:50 . 2010-08-05 13:50 22486 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut5_4192EAC06B364723B216D0E86E7757AC.exe
2010-08-05 13:50 . 2010-08-05 13:50 22486 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\ARPPRODUCTICON.exe
2010-08-05 13:50 . 2010-08-05 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-08-05 13:50 . 2010-08-05 13:50 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2010-08-05 13:50 . 2010-08-02 03:31 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-04 12:52 . 2010-08-04 12:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-04 12:51 . 2010-09-16 18:07 53632 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-04 12:51 . 2010-08-18 14:16 53632 ----a-w- c:\documents and settings\Iris Lavy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-04 12:51 . 2010-08-04 12:52 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-04 12:51 . 2010-08-04 12:51 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-03 14:56 . 2010-08-03 14:55 -------- d-----w- c:\documents and settings\Iris\Application Data\acccore
2010-08-03 14:55 . 2010-08-03 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-08-03 14:55 . 2010-08-03 14:55 -------- d-----w- c:\program files\AIM
2010-08-03 14:55 . 2010-08-03 14:55 -------- d-----w- c:\program files\Common Files\AOL
2010-08-02 18:56 . 2010-08-02 18:51 -------- d-----w- c:\program files\Creative
2010-08-02 18:54 . 2010-08-02 18:54 184 ----a-w- c:\windows\system32\e000001.dat
2010-08-02 16:05 . 2010-08-02 16:05 -------- d-----w- c:\program files\Conduit
2010-08-02 05:28 . 2010-08-02 05:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-08-02 05:28 . 2010-08-02 05:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-08-02 04:24 . 2010-08-02 04:24 0 ----a-w- c:\windows\nsreg.dat
2010-08-02 04:09 . 2010-08-02 04:09 -------- d-----w- c:\program files\ATI Technologies
2010-08-02 03:44 . 2010-08-02 03:35 -------- d-----w- c:\program files\Intel
2010-08-02 03:33 . 2010-08-02 03:33 -------- d-----w- c:\program files\Analog Devices
2010-08-02 03:20 . 2010-08-02 03:20 -------- d-----w- c:\program files\RGB
2010-08-02 03:18 . 2010-08-02 03:18 127 ----a-w- c:\documents and settings\Iris\Local Settings\Application Data\fusioncache.dat
2010-08-02 03:18 . 2010-08-02 03:18 -------- d-----w- c:\program files\GemMaster
2010-08-02 03:18 . 2010-08-02 03:18 -------- d-----w- c:\program files\EnglishOtto
2010-08-02 03:18 . 2010-08-02 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SBSI
2010-08-02 02:49 . 2010-08-02 02:49 -------- d-----w- c:\program files\microsoft frontpage
2010-08-02 02:45 . 2010-08-02 02:45 -------- d-----w- c:\program files\Windows Plus
2010-07-22 05:57 . 2010-08-02 04:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-08-12 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"DLCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728]
"dlcjmon.exe"="c:\program files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
"Babylon Client"="c:\program files\Babylon\Babylon.exe" [2006-08-13 2441281]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\dlcjcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/14/2010 2:31 PM 64288]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/20/2004 4:47 AM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2010 2:22 PM 135664]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/20/2004 3:40 AM 118784]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 8:15 AM 15008]
.
Contents of the 'Scheduled Tasks' folder

2010-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 18:31]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-14 18:22]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-14 18:22]

2010-09-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-09-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-412668190-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-412668190-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-412668190-839522115-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-412668190-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-412668190-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-412668190-839522115-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=55555&q=
FF - component: c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_21.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Yhijetohekafom - c:\windows\uzeqepijo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 09:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-09-21 09:12:04
ComboFix-quarantined-files.txt 2010-09-21 13:12

Pre-Run: 33,851,330,560 bytes free
Post-Run: 35,850,489,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - BA8EF119E4D5A3A62865F1AE6C305D8F


I have tried searching on Google and the problem is gone!!!!

Real magic!! this program is amazing...

Please let me know what do I need to do further, and thank you so much again,
Iris

Hi,

We still have some leftovers to delete here...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Alright, I got it, here is the new log:

ComboFix 10-09-20.07 - Iris 09/21/2010 11:24:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.558 [GMT -4:00]
Running from: c:\documents and settings\Iris\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Iris\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\Otumogovitogol.bin"
"c:\windows\Rdegoxiredoxir.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Iris\Local Settings\Application Data\jcqpojawv
c:\windows\Otumogovitogol.bin
c:\windows\Rdegoxiredoxir.dat

.
((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
.

2010-09-21 11:14 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-09-21 11:14 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-09-21 11:14 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-09-21 11:14 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-21 11:14 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-09-21 11:14 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-09-21 11:14 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-09-19 19:13 . 2010-09-21 12:46 -------- d-----w- c:\program files\Dl_cats
2010-09-19 19:13 . 2001-08-18 02:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-09-19 19:13 . 2001-08-18 02:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-09-19 19:12 . 2010-09-20 10:08 -------- d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2010-09-19 19:12 . 2010-09-19 19:12 -------- d-----w- C:\Temp
2010-09-17 23:07 . 2010-09-17 23:07 -------- d-----w- c:\program files\MSXML 6.0
2010-09-17 11:10 . 2010-09-17 12:34 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-09-17 01:39 . 2010-09-19 15:10 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Tracing
2010-09-16 21:52 . 2010-09-16 21:53 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Application Data\acccore
2010-09-16 21:52 . 2010-09-16 21:52 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\AOL
2010-09-16 21:52 . 2010-09-16 21:52 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\AIM
2010-09-16 20:27 . 2010-09-19 00:27 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\Temp
2010-09-16 18:40 . 2010-09-16 18:40 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\Google
2010-09-16 18:18 . 2010-09-06 03:21 1356 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\speaknow.bat
2010-09-16 18:18 . 2009-07-12 20:47 933 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\stopspeech.bat
2010-09-16 18:18 . 2009-07-12 20:47 422912 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\oggenc2.exe
2010-09-16 18:18 . 2009-07-12 20:47 211456 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\wv_player.exe
2010-09-16 18:18 . 2009-07-12 20:47 90112 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\mbrola.exe
2010-09-16 18:18 . 2009-07-12 20:47 829 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\createogg.bat
2010-09-16 18:18 . 2009-07-12 20:47 797 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\createmp3.bat
2010-09-16 18:18 . 2009-07-12 20:47 732 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\createwav.bat
2010-09-16 18:18 . 2009-07-12 20:47 274432 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\espeak.exe
2010-09-16 18:18 . 2009-07-12 20:47 249 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\foxvox@wordit.com\delmarkerfile.bat
2010-09-16 18:18 . 2010-09-09 00:45 615568 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-16 18:18 . 2010-09-09 00:45 640264 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Mozilla\Firefox\Profiles\cl7m9i26.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-16 18:15 . 2010-09-16 18:15 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\Mozilla
2010-09-16 17:39 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-16 17:34 . 2010-09-16 17:34 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-09-16 10:11 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-09-16 10:10 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-09-16 10:10 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-09-16 10:10 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-09-16 10:10 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-09-16 10:10 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-09-15 17:36 . 2010-09-15 17:36 -------- d-----w- c:\program files\Trend Micro
2010-09-15 15:07 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2010-09-15 15:07 . 2004-08-10 08:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2010-09-15 15:07 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2010-09-15 15:07 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2010-09-15 15:07 . 2004-08-10 08:13 61440 -c--a-w- c:\windows\system32\dllcache\ehreschs.dll
2010-09-15 15:07 . 2004-08-10 12:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-09-15 15:05 . 2001-08-18 02:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-09-15 15:04 . 2004-08-10 12:00 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-09-15 15:03 . 2004-08-10 12:00 68608 -c--a-w- c:\windows\system32\dllcache\isatq.dll
2010-09-15 14:59 . 2004-08-10 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-09-15 14:49 . 2004-08-10 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-09-15 14:49 . 2004-08-10 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-09-15 14:49 . 2004-08-10 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-09-15 14:49 . 2004-08-10 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-09-15 14:05 . 2010-09-15 14:05 -------- d-----w- c:\program files\Broadcom
2010-09-15 04:16 . 2010-09-15 04:16 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-15 01:13 . 2010-09-15 01:13 -------- d-----w- c:\program files\Common Files\Java
2010-09-15 01:13 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:13 . 2010-09-15 01:13 -------- d-----w- c:\program files\Java
2010-09-14 21:45 . 2010-09-09 00:45 615568 ----a-w- c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-14 21:45 . 2010-09-09 00:45 640264 ----a-w- c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-14 19:54 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-14 18:31 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-14 18:31 . 2010-09-14 18:31 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-14 18:28 . 2010-09-14 18:28 -------- d-----w- c:\documents and settings\Iris\Local Settings\Application Data\Sunbelt Software
2010-09-14 18:27 . 2010-09-14 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-14 18:22 . 2010-09-14 18:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-09-14 18:22 . 2010-09-14 18:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-14 18:22 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-14 18:21 . 2010-09-14 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-14 18:21 . 2010-09-14 18:21 -------- d-----w- c:\program files\Lavasoft
2010-09-14 17:52 . 2010-09-15 16:56 -------- d-----w- c:\documents and settings\Iris\Application Data\QuickScan
2010-09-09 05:56 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-09-09 05:56 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-08 13:55 . 2010-09-21 14:58 -------- d-----w- c:\documents and settings\Iris\Tracing
2010-09-08 13:53 . 2010-09-08 13:53 -------- d-----w- c:\program files\Microsoft
2010-09-08 13:53 . 2010-09-08 13:53 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-09-08 13:53 . 2010-09-08 13:53 -------- d-----w- c:\program files\Windows Live
2010-09-08 13:51 . 2010-09-08 13:51 -------- d-----w- c:\program files\Common Files\Windows Live
2010-09-05 00:06 . 2010-09-05 00:06 -------- d-----w- c:\documents and settings\Iris\Application Data\Malwarebytes
2010-09-05 00:05 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-05 00:05 . 2010-09-05 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 00:05 . 2010-09-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-05 00:05 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-04 23:58 . 2010-09-04 23:58 -------- d-----w- c:\program files\CCleaner
2010-09-04 21:09 . 2010-09-04 21:09 -------- d-----w- c:\documents and settings\Iris\Application Data\Toolbar4
2010-08-24 21:51 . 2010-09-14 18:22 -------- d-----w- c:\documents and settings\Iris\Local Settings\Application Data\Temp
2010-08-24 21:50 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-08-24 21:50 . 2004-08-04 02:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-08-24 21:50 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-21 15:21 . 2010-08-17 14:19 -------- d-----w- c:\documents and settings\Iris\Application Data\Babylon
2010-09-21 13:14 . 2010-08-03 03:58 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000004-20061102}.dat
2010-09-21 13:14 . 2010-08-03 03:58 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000001-00001102-00000004-20061102}.dat
2010-09-21 11:26 . 2010-09-16 18:07 -------- d-----w- c:\documents and settings\Iris Oshie Afiki\Application Data\Babylon
2010-09-20 10:08 . 2010-08-05 13:50 -------- d-----w- c:\program files\Dell Photo AIO Printer 964
2010-09-16 18:07 . 2010-09-16 18:07 37368 ----a-w- c:\documents and settings\Iris Oshie Afiki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-16 17:38 . 2010-08-02 16:37 37368 ----a-w- c:\documents and settings\Iris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-15 17:17 . 2010-08-02 02:48 87747 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-15 14:57 . 2010-08-02 02:45 34284 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-15 14:04 . 2010-08-02 03:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-15 01:13 . 2010-09-15 01:13 0 ----a-w- c:\windows\system32\REN10C.tmp
2010-09-15 01:13 . 2010-09-15 01:13 0 ----a-w- c:\windows\system32\REN10B.tmp
2010-09-15 01:13 . 2010-09-15 01:13 0 ----a-w- c:\windows\system32\REN10A.tmp
2010-09-14 18:23 . 2010-08-02 23:46 -------- d-----w- c:\program files\Google
2010-09-06 03:21 . 2010-08-16 15:25 1356 ----a-w- c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\foxvox@wordit.com\speaknow.bat
2010-09-05 01:19 . 2010-08-04 12:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-23 13:37 . 2010-08-04 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-19 03:42 . 2010-08-19 03:42 2826192 ----a-w- c:\documents and settings\Iris\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-08-18 18:56 . 2010-08-18 14:17 -------- d-----w- c:\documents and settings\Iris Lavy\Application Data\Babylon
2010-08-17 14:21 . 2010-08-17 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-08-17 14:21 . 2010-08-02 16:03 -------- d-----w- c:\program files\Babylon
2010-08-16 03:38 . 2010-08-16 03:36 -------- d-----w- c:\program files\Sidebar
2010-08-14 04:16 . 2010-08-02 18:54 -------- d-----w- c:\documents and settings\Iris\Application Data\Creative
2010-08-12 16:26 . 2010-08-12 16:26 2788816 ----a-w- c:\documents and settings\Iris\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-08-12 16:09 . 2010-08-12 16:09 -------- d-----w- c:\program files\Windows Media Connect 2
2010-08-12 15:11 . 2010-08-12 15:11 79872 ----a-w- c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2010-08-12 15:11 . 2010-08-12 15:11 574344 ----a-w- c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2010-08-12 15:11 . 2010-08-12 15:11 354744 ----a-w- c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-08-12 15:11 . 2010-08-12 15:11 -------- d-----w- c:\documents and settings\Iris\Application Data\SanDisk
2010-08-10 11:45 . 2010-08-10 11:45 -------- d-----w- c:\documents and settings\Iris\Application Data\OverDrive
2010-08-10 11:44 . 2010-08-10 11:44 -------- d-----w- c:\program files\OverDrive Media Console
2010-08-08 23:35 . 2010-08-08 23:35 -------- d-----w- c:\program files\Epson Software
2010-08-08 23:34 . 2010-08-08 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-08-08 01:55 . 2010-08-08 01:55 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-08-08 01:54 . 2010-08-08 01:54 -------- d-----w- c:\program files\Microsoft.NET
2010-08-07 04:43 . 2010-08-07 04:43 -------- d-----w- c:\program files\MSXML 4.0
2010-08-05 16:09 . 2010-08-05 16:08 -------- d-----w- c:\program files\Ballance
2010-08-05 15:59 . 2010-08-05 15:22 -------- d-----w- c:\program files\MyDSC2
2010-08-05 15:26 . 2010-08-05 15:26 -------- d-----w- c:\program files\ArcSoft
2010-08-05 15:22 . 2010-08-05 15:22 -------- d-----w- c:\documents and settings\Iris\Application Data\InstallShield
2010-08-05 13:52 . 2010-08-05 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-08-05 13:52 . 2010-08-05 13:52 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2010-08-05 13:51 . 2010-08-05 13:51 25214 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe
2010-08-05 13:51 . 2010-08-05 13:51 -------- d-----w- c:\documents and settings\Iris\Application Data\Jasc Software Inc
2010-08-05 13:51 . 2010-08-05 13:50 -------- d-----w- c:\program files\Jasc Software Inc
2010-08-05 13:50 . 2010-08-05 13:50 4710 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut3_4192EAC06B364723B216D0E86E7757AC.exe
2010-08-05 13:50 . 2010-08-05 13:50 22486 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut5_4192EAC06B364723B216D0E86E7757AC.exe
2010-08-05 13:50 . 2010-08-05 13:50 22486 ----a-r- c:\documents and settings\Iris\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\ARPPRODUCTICON.exe
2010-08-05 13:50 . 2010-08-05 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-08-05 13:50 . 2010-08-05 13:50 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2010-08-05 13:50 . 2010-08-02 03:31 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-04 12:52 . 2010-08-04 12:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-04 12:51 . 2010-09-16 18:07 53632 ----a-w- c:\documents and settings\Iris Oshie Afiki\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-04 12:51 . 2010-08-18 14:16 53632 ----a-w- c:\documents and settings\Iris Lavy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-04 12:51 . 2010-08-04 12:52 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-04 12:51 . 2010-08-04 12:51 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-03 14:56 . 2010-08-03 14:55 -------- d-----w- c:\documents and settings\Iris\Application Data\acccore
2010-08-03 14:55 . 2010-08-03 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-08-03 14:55 . 2010-08-03 14:55 -------- d-----w- c:\program files\AIM
2010-08-03 14:55 . 2010-08-03 14:55 -------- d-----w- c:\program files\Common Files\AOL
2010-08-02 18:56 . 2010-08-02 18:51 -------- d-----w- c:\program files\Creative
2010-08-02 18:54 . 2010-08-02 18:54 184 ----a-w- c:\windows\system32\e000001.dat
2010-08-02 16:05 . 2010-08-02 16:05 -------- d-----w- c:\program files\Conduit
2010-08-02 05:28 . 2010-08-02 05:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-08-02 05:28 . 2010-08-02 05:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-08-02 04:24 . 2010-08-02 04:24 0 ----a-w- c:\windows\nsreg.dat
2010-08-02 04:09 . 2010-08-02 04:09 -------- d-----w- c:\program files\ATI Technologies
2010-08-02 03:44 . 2010-08-02 03:35 -------- d-----w- c:\program files\Intel
2010-08-02 03:33 . 2010-08-02 03:33 -------- d-----w- c:\program files\Analog Devices
2010-08-02 03:20 . 2010-08-02 03:20 -------- d-----w- c:\program files\RGB
2010-08-02 03:18 . 2010-08-02 03:18 127 ----a-w- c:\documents and settings\Iris\Local Settings\Application Data\fusioncache.dat
2010-08-02 03:18 . 2010-08-02 03:18 -------- d-----w- c:\program files\GemMaster
2010-08-02 03:18 . 2010-08-02 03:18 -------- d-----w- c:\program files\EnglishOtto
2010-08-02 03:18 . 2010-08-02 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SBSI
2010-08-02 02:49 . 2010-08-02 02:49 -------- d-----w- c:\program files\microsoft frontpage
2010-08-02 02:45 . 2010-08-02 02:45 -------- d-----w- c:\program files\Windows Plus
2010-07-22 05:57 . 2010-08-02 04:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15} ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-08-12 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"DLCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728]
"dlcjmon.exe"="c:\program files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
"Babylon Client"="c:\program files\Babylon\Babylon.exe" [2006-08-13 2441281]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\dlcjcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/14/2010 2:31 PM 64288]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/20/2004 4:47 AM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2010 2:22 PM 135664]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/20/2004 3:40 AM 118784]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 1355928]

--- Other Services/Drivers In Memory ---

*Deregistered* - Lavasoft Kernexplorer
.
Contents of the 'Scheduled Tasks' folder

2010-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 18:31]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-14 18:22]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-14 18:22]

2010-09-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-09-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-412668190-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-412668190-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-412668190-839522115-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-412668190-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-412668190-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-09-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-412668190-839522115-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=55555&q=
FF - component: c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Iris\Application Data\Mozilla\Firefox\Profiles\orl4g2on.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_21.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 11:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Iris\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-09-21 11:30:39
ComboFix-quarantined-files.txt 2010-09-21 15:30
ComboFix2.txt 2010-09-21 13:12

Pre-Run: 35,818,422,272 bytes free
Post-Run: 35,807,444,992 bytes free

- - End Of File - - 5BE90B3899BAD9724C53B452F7CEEDF5

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

OK, did it, uninstalled, it all went smoothly. The previous problem is completely gone! thank you so much again!

in order to reduce chances of this happening again, do you have any recommendations regarding what protection I should use?

I am using MSE as a virus protection, and MS firewall. Also AdAware Ad Watch live. I am blocking scripts and ads on FF. I didn't have all of these protections working when I got the virus, but I'm wondering if there's any additional step you recommend I should take?

Thanks again,
Iris

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Thank a lot!! Really appreciate your help!!



Iris

You're most welcome

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.